Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

Fri, 29 Jul 2022 11:16:03 -0700 

Hi Stephan,
since Redhat has removed the support for DES/DES3 enctypes completely in RHEL8.3 (and newer) and your client is still using it (I can see it in your provided log: (enctype=1)|(enctype=2)|(enctype=3)) it will fail. 

RHEL8.3 and newer: completely removed support for DES and DES3 keys:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/rhel-8-3-0-release#deprecated-functionality_identity-management


Could you check your Master key on your Kerberos server via: kdb5_util 
list_mkeys
Maybe a re-key of the Master key is needed as well (if it is still on 
DES or DES3).


Regards,
--
Ralf Brunckhorst
rbrunckho...@sinenomine.net

On 11 Jul 2022, at 10:30, Stephan Wonczak wrote:


  Hi Jeffrey,
  Thanks for having a look at the problem.

  However, I obviously did not do a very good job detailing exactly 
what we did ... so here's my next try. Warning: It is going to be 
lengthy :-)



  First off: We do not use SSSD. And we would like to keep it that 
way, since it caused various massive problems in the past.



  On RHEL-7, everything works perfectly. We are using the 
RedHat-supplied RPM of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64
 Looking at the debug-output of the module, this is what the relevant 
part looks like:



Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: 
pam_unix(sshd:session): session opened for user XXXX by (uid=0)
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
default/local realm 'RRZ.UNI-KOELN.DE'
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
configured realm 'RRZ.UNI-KOELN.DE'
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: debug
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: don't always_allow_localname
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: no ignore_afs
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: no null_afs
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: no cred_session
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: no ignore_k5login
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: user_check
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
will try previously set password first
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
will ask for a password if that fails
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
will let libkrb5 ask questions
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: use_shmem
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: external
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: no multiple_ccaches
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: validate
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: warn
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
banner: Kerberos 5
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
ccache dir: /tmp
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
ccname template: FILE:%d/krb5cc_%U_XXXXXX
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
keytab: FILE:/etc/krb5.keytab
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
token strategy: 2b
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
removing shared memory segment 3 creator pid 3197
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
cleanup function removing shared memory segment 3 belonging to process 
3197
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
obtaining afs tokens
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
creating new PAG
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
obtaining tokens for local cell 'rrz.uni-koeln.de'
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
trying with ticket (2b)
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
attempting to determine realm for "rrz.uni-koeln.de"
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
file server for "/afs/rrz.uni-koeln.de" is 134.95.67.97
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
file server for "/afs/rrz.uni-koeln.de" is 134.95.109.81
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
file server for "/afs/rrz.uni-koeln.de" is 134.95.109.75
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
file server for "/afs/rrz.uni-koeln.de" is 134.95.112.8
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
file server 134.95.67.97 has name afs.thp.uni-koeln.de
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE"
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
attempting to obtain tokens for "rrz.uni-koeln.de" 
("afs/rrz.uni-koeln...@rrz.uni-koeln.de")
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
got tokens for cell "rrz.uni-koeln.de"
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: no 
additional afs cells configured




  We then took the source PRM: pam_krb5-2.4.8-6.el7.src.rpm and did a 
rebuild on a RHEL-8-Machine. This worked without any errors.

  However, when we try to use this to get a token, this happens:


Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_unix(sshd:session): session opened for user a0537 by (uid=0)
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: default/local realm 'RRZ.UNI-KOELN.DE'
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: configured realm 'RRZ.UNI-KOELN.DE'
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: flag: debug
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: flag: don't always_allow_localname
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: flag: no ignore_afs
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: flag: no null_afs
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: flag: no cred_session
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: flag: no ignore_k5login
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: flag: user_check
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: will try previously set password first
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: will ask for a password if that fails
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: will let libkrb5 ask questions
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: flag: use_shmem
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: flag: external
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: flag: no multiple_ccaches
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: flag: validate
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: flag: warn
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: banner: Kerberos 5
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: ccache dir: /tmp
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: keytab: FILE:/etc/krb5.keytab
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: token strategy: 2b
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: removing shared memory segment 29 creator pid 
2204130
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: cleanup function removing shared memory segment 29 
belonging to process 2204130
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: obtaining afs tokens
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: creating new PAG
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: obtaining tokens for local cell 'rrz.uni-koeln.de'
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: trying with ticket (2b)
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: attempting to determine realm for 
"rrz.uni-koeln.de"
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: file server for "/afs/rrz.uni-koeln.de" is 
134.95.67.97
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: file server for "/afs/rrz.uni-koeln.de" is 
134.95.112.8
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: file server for "/afs/rrz.uni-koeln.de" is 
134.95.109.81
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: file server for "/afs/rrz.uni-koeln.de" is 
134.95.109.75
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: file server 134.95.67.97 has name 
afs.thp.uni-koeln.de
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE"
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: attempting to obtain tokens for "rrz.uni-koeln.de" 
("afs/rrz.uni-koeln...@rrz.uni-koeln.de")
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1) on behalf of 
'a0...@rrz.uni-koeln.de': No credentia

ls found with supported encryption types

Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=2) on behalf of 
'a0...@rrz.uni-koeln.de': No credentia

ls found with supported encryption types

Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=3) on behalf of 
'a0...@rrz.uni-koeln.de': No credentia

ls found with supported encryption types

Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: attempting to obtain tokens for "rrz.uni-koeln.de" 
("a...@rrz.uni-koeln.de")
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'a...@rrz.uni-koeln.de' (enctype=1) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'a...@rrz.uni-koeln.de' (enctype=2) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'a...@rrz.uni-koeln.de' (enctype=3) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: attempting to obtain tokens for "rrz.uni-koeln.de" 
("afsx/rrz.uni-koeln...@rrz.uni-koeln.de")
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'afsx/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'afsx/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=2) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'afsx/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=3) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: attempting to obtain tokens for "rrz.uni-koeln.de" 
("a...@rrz.uni-koeln.de")
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'a...@rrz.uni-koeln.de' (enctype=1) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'a...@rrz.uni-koeln.de' (enctype=2) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'a...@rrz.uni-koeln.de' (enctype=3) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: afslog (2b) failed to "rrz.uni-koeln.de"
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: got error -1 (Unknown code ____ 255) while 
obtaining tokens for rrz.uni-koeln.de
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: no additional afs cells configured



  To reiterate: We get both kerberos ticket and AFS-Token on RHEL-7. 
On RHEL-8, we still get a valid kerberos ticket, but getting the 
AFS-Token fails. It -is- possible, however, to get a valid AFS-Token 
by klog.krb5. So -in principle- everything is in place to have this 
done by pam_afs.
  The problem is: I have no way to determine why it is complaining 
about "no supported encryption types" when other tools have no 
problems at all!



  Additional infO. Yes, we did rekey our AFS-cell quite a while ago, 
and our afs-Principal has two keys:


kadmin.local:  getprinc afs/rrz.uni-koeln.de
Principal: afs/rrz.uni-koeln...@rrz.uni-koeln.de
<snip>
Anzahl der Schlüssel: 2
Key: vno 5, aes256-cts-hmac-sha1-96
Key: vno 4, des-cbc-crc
MKey: vno 1
Attribute: REQUIRES_PRE_AUTH
Richtlinie: [keins]

  Our users have three:

kadmin.local:  getprinc XXXX
Principal: x...@rrz.uni-koeln.de
<snip>
Anzahl der Schlüssel: 3
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, des-cbc-crc
Key: vno 2, des-cbc-md5:afs3
MKey: vno 1
Attribute: REQUIRES_PRE_AUTH
Richtlinie: [keins]


  Like I said before, I looked at the sources of our version of 
pam_krb5, and the part where it is failing starts at line 775 inside 
the function "minikafs_5log_with_principal" (I'll attach the 
minikafs.c to this mail for reference)


    /* Try to obtain a suitable credential. */
        for (i = 0; i < n_etypes; i++) {
                memset(&mcreds, 0, sizeof(mcreds));
                mcreds.client = client;
                mcreds.server = server;
                if (etypes != NULL) {
                        v5_creds_set_etype(ctx, &mcreds, etypes[i]);
                }
                new_creds = NULL;
                tmp = krb5_get_credentials(ctx, 0, ccache,
                                           &mcreds, &new_creds);
                if (tmp == 0) {
                        if (use_rxk5 &&

                            (minikafs_5settoken2(cell, new_creds, uid) 
== 0)) {

                                krb5_free_creds(ctx, new_creds);

                                v5_free_unparsed_name(ctx, 
unparsed_client);

                                krb5_free_principal(ctx, client);
                                krb5_free_principal(ctx, server);
                                return 0;
                        } else
                        if (use_v5_2b &&

                            (minikafs_5settoken(cell, new_creds, uid) 
== 0)) {

                                krb5_free_creds(ctx, new_creds);

                                v5_free_unparsed_name(ctx, 
unparsed_client);

                                krb5_free_principal(ctx, client);
                                krb5_free_principal(ctx, server);
                                return 0;
                        }
                        krb5_free_creds(ctx, new_creds);
                } else {
                        if (options->debug) {
                                if (etypes != NULL) {

                                        debug("error obtaining 
credentials for "
                                              "'%s' (enctype=%d) on 
behalf of "

                                              "'%s': %s",
                                              principal, etypes[i],
                                              unparsed_client,
                                              v5_error_message(tmp));
                                } else {

                                       	debug("error obtaining 
credentials for "

                                              "'%s' on behalf of "
                                              "'%s': %s",
                                              principal,
                                              unparsed_client,
                                              v5_error_message(tmp));
                                }
                        }
                }
        }

    v5_free_unparsed_name(ctx, unparsed_client);
        krb5_free_principal(ctx, client);
        krb5_free_principal(ctx, server);


  If you or anyone else has any ideas how to tackle the problem, any 
help would be greatly appreciated.


  Cheers from Cologne,
  Stephan Wonczak


On Fri, 8 Jul 2022, Jeffrey E Altman wrote:




Sounds like the version of pam_krb5 you are attempting to build does 
not

include support for rxkad-kdf.

 https://lists.openafs.org/pipermail/afs3-standardization/2013-July/002738.h
tml

The version of pam_krb5 that supports rxkad-kdf contains a
minikafs_kd_derive() function at minikafs.c line 775.

See https://github.com/frozencemetery/pam_krb5.


As mentioned in my prior reply pam_krb5 should not be used in 
conjunction

with sssd.

Jeffrey Altman

On 7/8/2022 8:35 AM, Stephan Wonczak (a0...@rrz.uni-koeln.de) wrote:
        Hi everyone!
        (Berthold's colleague here)

        We dug a little deeper and found the part in the
      pam_krb5-sources where it fails. It is in the file "minikafs.c"
      starting in line 775. It looks like the call to

      krb5_get_credentials() gets a non-zero return value, thus 
making

      it bail out.

        The problem is that we (well, at least me!) have no idea 
which

      enctype is expected, and which enctypes are actually tried.
      Debug output is not too helpful here. Any ideas on how to get
      useful information?
        (I should mention I am waaay out of depth here with my
      knowledge of Kerberos, and my C-fu is severely lacking, too ;-)
      )

        To be absolutley clear: We can ssh-login to the machine
      running this pam_krb.so-module, and get a valid krb5-ticket. No
      AFS-token after login, thus no access to AFS. If I do
      "klog.krb5", I -do- get an AFS-Token without any issues, and
      AFS-access starts working as it should.

        It's maddening that only pam_krb5 complains, while other 
tools

      work out of the box.

        Any advice would be greatly appreciated!

        Stephan

      On Fri, 8 Jul 2022, Berthold Cogel wrote:

            Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:
                   Benjamin Kaduk:

                         Are you aware of
                        pam_afs_session
                         (https://github.com/rra/pam-afs-session)?
                        Without knowing more about
                         what you're using pam_krb5
                        for it's hard to make
                        specific suggestions
                         about what alternatives
                        might exist.


                   BTW: pam_krb5 != pam_krb5. There are
                  two different modules with the same
                   name out there. The one shipped with
                  RedHat family distributions comes
                   with integrated AFS support, while the
                  one shipped with Debian family
                   distributions doesn't. That's the
                  reason why Debian also ships
                   pam_afs_session and RH does not.

                   Bye...

                        Dirk


            We're using the pam_krb5 shipped with Red Hat.

            I've rebuild the module from the RHEL 7 source rpm
            on RHEL 8. And it seems to work.... for some value
            of working....

            Supported enctypes in our kdc:
            aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal
            des:afs3

            We 'rekeyed' our AFS environment with
            aes256-cts-hmac-sha1-96:normal to get connections
            from newer Ubuntu/Debian and Fedora 35 working.

            We get a krb5 ticket and a login, but getting the
            AFS token gives errors:

            "error obtaining credentials for
            'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1)
            on behalf of ....: No credentials found with
            supported encryption types"

            Same for two other enctypes.

            So something else changed in RHEL 8, which we
            haven't found yet.


            Regards
            Berthold
            _______________________________________________
            OpenAFS-info mailing list
            OpenAFS-info@openafs.org
         https://lists.openafs.org/mailman/listinfo/openafs-info


          Dipl. Chem. Dr. Stephan Wonczak


              Regionales Rechenzentrum der Universitaet zu 
Koeln

      (RRZK)
              Universitaet zu Koeln, Weyertal 121, 50931 Koeln

              Tel: +49/(0)221/470-89583, Fax: 
+49/(0)221/470-89625






    Dipl. Chem. Dr. Stephan Wonczak

        Regionales Rechenzentrum der Universitaet zu Koeln (RRZK)
        Universitaet zu Koeln, Weyertal 121, 50931 Koeln
        Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625





















					Reply via email to