Re: strange errors from pam-krb5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok... Added the "setcred_in_auth" and didn't seem to change the log at all..

(login)

Nov 29 11:29:17 SYSTEM sshd[484]: [ID 551190 auth.debug] pam_krb5: 
pam_sm_authenticate(sshd mdbaker): entry:
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 551190 auth.debug] pam_krb5: 
pam_sm_authenticate(sshd mdbaker): exit: success
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 248316 auth.debug] pam_krb5: 
pam_sm_acct_mgmt(sshd mdbaker): entry:
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 248316 auth.debug] pam_krb5: 
pam_sm_acct_mgmt(sshd mdbaker): exit: success
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 800047 auth.info] Accepted password 
for mdbaker from XXX.XXX.XXX.XXX port 35978 ssh2
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 843472 auth.debug] pam_krb5: 
pam_sm_setcred(sshd mdbaker): entry:
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 843472 auth.debug] pam_krb5: 
pam_sm_setcred(sshd mdbaker): chown(): Not owner
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 843472 auth.debug] pam_krb5: 
pam_sm_setcred(sshd mdbaker): exit: failure
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 833576 auth.debug] pam_setcred: error 
Error in underlying service module
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 993013 auth.debug] pam_sm_setcred(): 
no module data


(logout)

Nov 29 11:29:26 joint sshd[484]: [ID 833576 auth.debug] pam_setcred: error 
Error in underlying service module
Nov 29 11:29:26 joint sshd[484]: [ID 833576 auth.debug] pam_setcred: error 
Permission denied

No the cache file does not exist... One other interesting item... If it 
does exist,
it gets deleted...  That is not right... ;)

See-ya
Mitch


At 11:08 AM 11/29/2001 -0500, you wrote:
>On Thu, Nov 29, 2001 at 09:18:33AM -0600, Steve Langasek wrote:
> > On Thu, Nov 29, 2001 at 09:50:51AM -0500, Mitchell Baker wrote:
> > > Authenticating but NOT setting up credential cache
> > > Solaris 8
> > > OpenSSH_3.0.1p1
> > > MIT KRB5 1.2.2
> >
> > > The pam.conf is the same on both and so is the sshd_config
> >
> > > Do have the debug option on with the pam_krb5. Here is more of the logs.
> > > With logout...
> >
> > > Nov 29 08:04:26 system sshd[880]: [ID 551190 auth.debug] pam_krb5:
> > > pam_sm_authenticate(sshd mdbaker): entry:
> > > Nov 29 08:04:26 system sshd[880]: [ID 551190 auth.debug] pam_krb5:
> > > pam_sm_authenticate(sshd mdbaker): exit: success
> > > Nov 29 08:04:26 system sshd[880]: [ID 248316 auth.debug] pam_krb5:
> > > pam_sm_acct_mgmt(sshd mdbaker): entry:
> > > Nov 29 08:04:26 system sshd[880]: [ID 248316 auth.debug] pam_krb5:
> > > pam_sm_acct_mgmt(sshd mdbaker): exit: success
> > > Nov 29 08:04:26 system sshd[880]: [ID 800047 auth.info] Accepted 
> password
> > > for mdbaker from xxx.xxx.xxx.xxx port 35740 ssh2
> > > Nov 29 08:04:26 system sshd[880]: [ID 843472 auth.debug] pam_krb5:
> > > pam_sm_setcred(sshd mdbaker): entry:
> > > Nov 29 08:04:26 system sshd[880]: [ID 843472 auth.debug] pam_krb5:
> > > pam_sm_setcred(sshd mdbaker): chown(): Not owner
> > > Nov 29 08:04:26 system sshd[880]: [ID 843472 auth.debug] pam_krb5:
> > > pam_sm_setcred(sshd mdbaker): exit: failure
> > > Nov 29 08:04:26 system sshd[880]: [ID 833576 auth.debug] pam_setcred: 
> error
> > > Error in underlying service module
> > > Nov 29 08:04:26 system sshd[880]: [ID 993013 auth.debug] 
> pam_sm_setcred():
> > > no module data
> > > Nov 29 08:04:44 system sshd[880]: [ID 833576 auth.debug] pam_setcred: 
> error
> > > Error in underlying service module
> > > Nov 29 08:04:44 system sshd[880]: [ID 833576 auth.debug] pam_setcred: 
> error
> > > Permission denied
> >
> > Hmm.  Sounds like something has changed in OpenSSH 3.0.1p1 wrt the order
> > of setuid() and pam_setcred() calls.
>
>Indeed, it sounds that way.
>
> > Nico, is this our bug or theirs?
>
>Still looking. Remember, I don't use the latest pam_krb5, yet...
>
>Something looks off though, "... pam_sm_setcred(): no module data"... Is
>OpenSSH perhaps using a different pam handle for the setcred?
>
>Mitchell,
>
>Can you try adding the "setcred_in_auth" option to auth pam_krb5 line?
>
>Also, does a /tmp/krb5cc_<uid> already exist and is it owned by a user
>other than the user you're logging in as?
>
>
> > Steve Langasek
> > postmodern programmer
>
>
>Nico
>--
>
>Visit our website at http://www.ubswarburg.com
>
>This message contains confidential information and is intended only
>for the individual named.  If you are not the named addressee you
>should not disseminate, distribute or copy this e-mail.  Please
>notify the sender immediately by e-mail if you have received this
>e-mail by mistake and delete this e-mail from your system.
>
>E-mail transmission cannot be guaranteed to be secure or error-free
>as information could be intercepted, corrupted, lost, destroyed,
>arrive late or incomplete, or contain viruses.  The sender therefore
>does not accept liability for any errors or omissions in the contents
>of this message which arise as a result of e-mail transmission.  If
>verification is required please request a hard-copy version.  This
>message is provided for informational purposes and should not be
>construed as a solicitation or offer to buy or sell any securities or
>related financial instruments.
>
>
>
>_______________________________________________
>
>Pam-list@redhat.com
>https://listman.redhat.com/mailman/listinfo/pam-list

/####################################################################/
/# Mitchell "Buzz" Baker                "To Infinity And Beyond..." #/
/# Sr. Systems Admin            Rose-Hulman Institute of Technology #/
/# Mitchell.D.Baker@rose-hulman.edu             www.rose-hulman.edu #/
/#         For PGP Public key, check out www.keyserver.net          #/
/####################################################################/





[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux