RH 7.3 pam_krb5afs not getting AFS token on login.

pam-list at redhat.com (Mitchell D. Baker) · 05 Aug 2002 09:24:39 -0500

pam_krb5afs.so not getting token on login.  

Details

Trying to get a new RH 7.3 box setup in our environment.  Here is the
background.  We use KRB5 for Authentication, LDAP for user info, AFS for
file services and SSH for remote access.  

Trying to get a new IMAP server up and running..  Here are the packages
loaded for AFS, KRB5 and SSH:

[root@imap1 root]# rpm -qa | grep -i afs
openafs-kernel-1.2.5-rh7.3.1
krbafs-utils-1.1.1-1
krbafs-1.1.1-1
openafs-1.2.5-rh7.3.1
openafs-client-1.2.5-rh7.3.1
openafs-kernel-source-1.2.5-rh7.3.1
krbafs-devel-1.1.1-1
openafs-krb5-1.2.5-rh7.3.1

[root@imap1 root]# rpm -qa | grep -i krb 
pam_krb5-1.55-1
krb5-libs-1.2.4-1
krb5-devel-1.2.4-1
krb5-workstation-1.2.4-1

[root@imap1 root]# rpm -qa | grep -i ssh
openssh-3.1p1-6
openssh-clients-3.1p1-6
openssh-server-3.1p1-6

[root@imap1 root]# rpm -qa | grep -i kernel
kernel-2.4.18-5
kernel-smp-2.4.18-5
kernel-source-2.4.18-5

Now I had to recompile the kernel module for AFS since I am using the
18-5 and the AFS rpm was only compiled for 18-3.

Here is my pam.d/system-auth... I have not modified any other pam.d
config files.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_krb5afs.so use_first_pass
debug
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/pam_krb5afs.so debug

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    sufficient    /lib/security/pam_krb5afs.so use_authtok debug
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_krb5afs.so debug

Only thing I have done is add the debug option...  And here is the pam
section of my krb5.conf:
[appdefaults]
  pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = true
    afs_cells = rose-hulman.edu
    max_timeout = 30
    timeout_shift = 2
    initial_timeout = 1
  }

And last, my nsswitch.conf for user info:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

Now.. If I try to login as a normal use via SSH... I get authenticated..
User info is found via ldap..... Only thing that does not happen is a
token for the cell is not obtained.  After login I can do a aklog and
all is fine...  So the underlining pieces are there.. The debug output
from syslog looks good for the KRB5 part, but with the AFS here as some
parts that don't look right...  If you want the whole thing let me
know.. 

The KRB4 items seem to be messed up.... 

Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: `mdbaker' has uid 10775,
gid 20
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: attempting to
authenticate `mdbaker'
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: get_int_tkt returned
Success
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: authentication succeeds
for `mdbaker'
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: credentials saved for
`mdbaker'
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: ciphertext length in TGT
= 128
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: service name in v4 TGT
too long: ñÒ^C.«§\231Ð
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: Got v4 TGT for `@'
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: Got 185 extra bytes in v4
TGT
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: Extra data = ^S#@p^L ^H 
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: Extra data = "@¨åÿ¿\2265
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: saved return code (0) for
later use

Seems to be reading the config info properly... that is the correct
cell:

Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: Creating a ticket with
addresses
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: krb4_convert true
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: will afslog to cells
`rose-hulman.edu'
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: will afslog to cell
`rose-hulman.edu'

Here is a part this I think is not working... The afslog() is returning
a 79.... Don't know what that means....

Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: credentials retrieved
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs:
KRB5CCNAME=FILE:/tmp/krb5cc_10775_5XiAw1
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: opening ticket file
`/tmp/tkt10775_S1vjOS'
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: save v4 creds (@:171), 46
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs:
KRBTKFILE=/tmp/tkt10775_S1vjOS
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: k_setpag()
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: k_setpag() returned 0
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: afslog() to cell
`rose-hulman.edu'
Aug  5 09:06:46 imap1 sshd[1617]: pam_krb5afs: afslog() returned 79

Then I am in the system... But I can't access my home dir since it is in
AFS space and I have no token... If I use aklog then I get a token and
all worked well.. But since this is going to be an IMAP server, and the
"login" will be via IMAP.. I need the token to be obtained during the
authentication process...

Any help would be appreciated...

Thanks

See-ya
Mitch

-- 
/####################################################################/
/# Mitchell "Buzz" Baker               "To Infinity And Beyond..."  #/
/# Sr. Systems/Security Admin  Rose-Hulman Institute of Technology  #/  
/# Mitchell.D.Baker@rose-hulman.edu            www.rose-hulman.edu  #/
/#        For PGP Public key, check out www.keyserver.net           #/
/####################################################################/