On Thu, Nov 29, 2001 at 09:18:33AM -0600, Steve Langasek wrote: > On Thu, Nov 29, 2001 at 09:50:51AM -0500, Mitchell Baker wrote: > > Authenticating but NOT setting up credential cache > > Solaris 8 > > OpenSSH_3.0.1p1 > > MIT KRB5 1.2.2 > > > The pam.conf is the same on both and so is the sshd_config > > > Do have the debug option on with the pam_krb5. Here is more of the logs. > > With logout... > > > Nov 29 08:04:26 system sshd[880]: [ID 551190 auth.debug] pam_krb5: > > pam_sm_authenticate(sshd mdbaker): entry: > > Nov 29 08:04:26 system sshd[880]: [ID 551190 auth.debug] pam_krb5: > > pam_sm_authenticate(sshd mdbaker): exit: success > > Nov 29 08:04:26 system sshd[880]: [ID 248316 auth.debug] pam_krb5: > > pam_sm_acct_mgmt(sshd mdbaker): entry: > > Nov 29 08:04:26 system sshd[880]: [ID 248316 auth.debug] pam_krb5: > > pam_sm_acct_mgmt(sshd mdbaker): exit: success > > Nov 29 08:04:26 system sshd[880]: [ID 800047 auth.info] Accepted password > > for mdbaker from xxx.xxx.xxx.xxx port 35740 ssh2 > > Nov 29 08:04:26 system sshd[880]: [ID 843472 auth.debug] pam_krb5: > > pam_sm_setcred(sshd mdbaker): entry: > > Nov 29 08:04:26 system sshd[880]: [ID 843472 auth.debug] pam_krb5: > > pam_sm_setcred(sshd mdbaker): chown(): Not owner > > Nov 29 08:04:26 system sshd[880]: [ID 843472 auth.debug] pam_krb5: > > pam_sm_setcred(sshd mdbaker): exit: failure > > Nov 29 08:04:26 system sshd[880]: [ID 833576 auth.debug] pam_setcred: error > > Error in underlying service module > > Nov 29 08:04:26 system sshd[880]: [ID 993013 auth.debug] pam_sm_setcred(): > > no module data > > Nov 29 08:04:44 system sshd[880]: [ID 833576 auth.debug] pam_setcred: error > > Error in underlying service module > > Nov 29 08:04:44 system sshd[880]: [ID 833576 auth.debug] pam_setcred: error > > Permission denied > > Hmm. Sounds like something has changed in OpenSSH 3.0.1p1 wrt the order > of setuid() and pam_setcred() calls. Indeed, it sounds that way. > Nico, is this our bug or theirs? Still looking. Remember, I don't use the latest pam_krb5, yet... Something looks off though, "... pam_sm_setcred(): no module data"... Is OpenSSH perhaps using a different pam handle for the setcred? Mitchell, Can you try adding the "setcred_in_auth" option to auth pam_krb5 line? Also, does a /tmp/krb5cc_<uid> already exist and is it owned by a user other than the user you're logging in as? > Steve Langasek > postmodern programmer Nico -- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.