Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Hi Stephan, since Redhat has removed the support for DES/DES3 enctypes completely in RHEL8.3 (and newer) and your client is still using it (I can see it in your provided log: (enctype=1)|(enctype=2)|(enctype=3)) it will fail. RHEL8.3 and newer: completely removed support for DES and DES3 keys: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/rhel-8-3-0-release#deprecated-functionality_identity-management Could you check your Master key on your Kerberos server via: kdb5_util list_mkeys Maybe a re-key of the Master key is needed as well (if it is still on DES or DES3). Regards, -- Ralf Brunckhorst rbrunckho...@sinenomine.net On 11 Jul 2022, at 10:30, Stephan Wonczak wrote: Hi Jeffrey, Thanks for having a look at the problem. However, I obviously did not do a very good job detailing exactly what we did ... so here's my next try. Warning: It is going to be lengthy :-) First off: We do not use SSSD. And we would like to keep it that way, since it caused various massive problems in the past. On RHEL-7, everything works perfectly. We are using the RedHat-supplied RPM of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64 Looking at the debug-output of the module, this is what the relevant part looks like: Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_unix(sshd:session): session opened for user by (uid=0) Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: default/local realm 'RRZ.UNI-KOELN.DE' Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: configured realm 'RRZ.UNI-KOELN.DE' Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: debug Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: don't always_allow_localname Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no ignore_afs Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no null_afs Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no cred_session Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no ignore_k5login Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: user_check Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will try previously set password first Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will ask for a password if that fails Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will let libkrb5 ask questions Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: use_shmem Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: external Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no multiple_ccaches Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: validate Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: warn Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: banner: Kerberos 5 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccache dir: /tmp Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccname template: FILE:%d/krb5cc_%U_XX Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: keytab: FILE:/etc/krb5.keytab Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: token strategy: 2b Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: removing shared memory segment 3 creator pid 3197 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: cleanup function removing shared memory segment 3 belonging to process 3197 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtaining afs tokens Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: creating new PAG Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtaining tokens for local cell 'rrz.uni-koeln.de' Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: trying with ticket (2b) Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attempting to determine realm for "rrz.uni-koeln.de" Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.67.97 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.109.81 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.109.75 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.112.8 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server 134.95.67.97 has name afs.thp.uni-koeln.de Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE" Jul 8
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Hi Jeffrey, Thanks for having a look at the problem. However, I obviously did not do a very good job detailing exactly what we did ... so here's my next try. Warning: It is going to be lengthy :-) First off: We do not use SSSD. And we would like to keep it that way, since it caused various massive problems in the past. On RHEL-7, everything works perfectly. We are using the RedHat-supplied RPM of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64 Looking at the debug-output of the module, this is what the relevant part looks like: Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_unix(sshd:session): session opened for user by (uid=0) Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: default/local realm 'RRZ.UNI-KOELN.DE' Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: configured realm 'RRZ.UNI-KOELN.DE' Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: debug Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: don't always_allow_localname Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no ignore_afs Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no null_afs Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no cred_session Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no ignore_k5login Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: user_check Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will try previously set password first Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will ask for a password if that fails Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will let libkrb5 ask questions Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: use_shmem Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: external Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no multiple_ccaches Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: validate Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: warn Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: banner: Kerberos 5 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccache dir: /tmp Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccname template: FILE:%d/krb5cc_%U_XX Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: keytab: FILE:/etc/krb5.keytab Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: token strategy: 2b Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: removing shared memory segment 3 creator pid 3197 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: cleanup function removing shared memory segment 3 belonging to process 3197 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtaining afs tokens Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: creating new PAG Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtaining tokens for local cell 'rrz.uni-koeln.de' Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: trying with ticket (2b) Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attempting to determine realm for "rrz.uni-koeln.de" Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.67.97 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.109.81 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.109.75 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.112.8 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server 134.95.67.97 has name afs.thp.uni-koeln.de Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE" Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attempting to obtain tokens for "rrz.uni-koeln.de" ("afs/rrz.uni-koeln...@rrz.uni-koeln.de") Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: got tokens for cell "rrz.uni-koeln.de" Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: no additional afs cells configured We then took the source PRM: pam_krb5-2.4.8-6.el7.src.rpm and did a rebuild on a RHEL-8-Machine. This worked without any errors. However, when we try to use this to get a token, this happens: Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_unix(sshd:session): session opened for user a0537 by (uid=0) Jul 8 15:14:57 kicktest.rrz.uni-koeln.de
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Not surprised that they patched something useful in. And it is a useful option. thanks On Mon, Jul 11, 2022 at 12:40:57PM -0700, Carson Gaspar wrote: > This is a Red Hat patch: openssh-7.7p1-gssapi-new-unique.patch > > On 7/11/2022 12:26 PM, Dirk Heinrichs wrote: > > Dave Botsch: > > > > > Maybe it's not in newer release of openssh? > > Nope. Also looked up Debian Stretch's man page for OpenSSH 7.9. Doesn't > > have it. See > > https://manpages.debian.org/stretch/openssh-server/sshd_config.5.en.html > > > > Bye... > > > > Dirk > > > ___ > OpenAFS-info mailing list > OpenAFS-info@openafs.org > https://lists.openafs.org/mailman/listinfo/openafs-info -- David William Botsch Programmer/Analyst @CornellCNF bot...@cnf.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
This is a Red Hat patch: openssh-7.7p1-gssapi-new-unique.patch On 7/11/2022 12:26 PM, Dirk Heinrichs wrote: Dave Botsch: Maybe it's not in newer release of openssh? Nope. Also looked up Debian Stretch's man page for OpenSSH 7.9. Doesn't have it. See https://manpages.debian.org/stretch/openssh-server/sshd_config.5.en.html Bye... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Yup, I see that that option is not there on rhel6 with openssh-server-5.3p1-124.el6_10.x86_64 so must be a new option. And something that was clearly handled differently on RHEL6. thanks! On Mon, Jul 11, 2022 at 09:26:54PM +0200, Dirk Heinrichs wrote: > Dave Botsch: > > > Maybe it's not in newer release of openssh? > > Nope. Also looked up Debian Stretch's man page for OpenSSH 7.9. Doesn't > have it. See > https://manpages.debian.org/stretch/openssh-server/sshd_config.5.en.html > > Bye... > > Dirk > > -- > Dirk Heinrichs > Matrix-Adresse: @heini:chat.altum.de > GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 > Privacy Handbuch: https://www.privacy-handbuch.de > -- David William Botsch Programmer/Analyst @CornellCNF bot...@cnf.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Dave Botsch: > Maybe it's not in newer release of openssh? Nope. Also looked up Debian Stretch's man page for OpenSSH 7.9. Doesn't have it. See https://manpages.debian.org/stretch/openssh-server/sshd_config.5.en.html Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Maybe it's not in newer release of openssh? RHEL8 is using: $ rpm -q openssh-server openssh-server-8.0p1-13.el8.x86_64 And from the man page: KerberosUniqueCCache Specifies whether to store the acquired tickets in the per-session credential cache under /tmp/ or whether to use per-user credential cache as configured in /etc/krb5.conf. The default value no can lead to overwriting previous tickets by subseqent connections to the same user account. And this gets a bit interesting depending on what's in /etc/krb5.conf and if using sssd what's in sssd.conf for kerberos. Thanks. On Mon, Jul 11, 2022 at 07:54:12PM +0200, Dirk Heinrichs wrote: > Dave Botsch: > > > KerberosUniqueCCache=yes in sshd.conf > > Could you elaborate on what this option is good for? I can't find it in > sshd_config(5), neither on a Debian Bookworm system with OpenSSH 9.0, > nor in online man-pages of Arch Linux or upstream OpenSSH. Is this some > special RH-only thing? > > Thanks a lot... > > Dirk > > -- > Dirk Heinrichs > Matrix-Adresse: @heini:chat.altum.de > GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 > Privacy Handbuch: https://www.privacy-handbuch.de > -- David William Botsch Programmer/Analyst @CornellCNF bot...@cnf.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Dave Botsch: > KerberosUniqueCCache=yes in sshd.conf Could you elaborate on what this option is good for? I can't find it in sshd_config(5), neither on a Debian Bookworm system with OpenSSH 9.0, nor in online man-pages of Arch Linux or upstream OpenSSH. Is this some special RH-only thing? Thanks a lot... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Since we are not using PAGs anymore on most of our systems and instead using UID based logins for tokens, I should retest and see what does and doesn't work with keyrings as I honestly don't recall at this point, and things have changed with the various point releases of RHEL8. One of the challenges when testing is that things can appear to work when in reality, the last login didn't actually destroy all credentials. My memory does say, though, that on login we did successfully get kerberos tickets in the keyring (aklog may be a different story, though, and I have a note that that didn't work without: KerberosUniqueCCache=yes in sshd.conf, though no more details, stream of thought comments Lol) There's a couple of systems where we still use PAGs so that when a user logouts with multiple logins, their other logins still have tokens. With systemd-login, that may not actually be needed to accomplish said end goal. All future stuff to play with. On Mon, Jul 11, 2022 at 01:20:31PM -0400, Ken Hornstein wrote: > >We went back to using FILE based caches for use along with PAGs. > >Something didn't work right with keyring caches, and I don't recall > >what. > > Ah-HA. I was wondering about that. I suspect you ran into the base > problem that my PAM stack solves, namely that _in_ the PAM stack you're > running as root and that creates a keyring cache owned by root which > doesn't work after you call setuid(). > > It's kind of a challenging corner case; you receive forwarded > credentials in a daemon running as root, but then you have to write > them out as the user. How do you do that at the right point in the > daemon process, especially when they assume after setuid() is called > they have all of the normal rights of a user? My solution was designed > so that after you exited the session stack you had all of the Kerberos > and AFS stuff set up properly. I'm open to other ideas! But recall > that for us keyrings are a hard requirement. > > --Ken -- David William Botsch Programmer/Analyst @CornellCNF bot...@cnf.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
We went back to using FILE based caches for use along with PAGs. Something didn't work right with keyring caches, and I don't recall what. I believe our general path was, keyring didn't work, ok, go to file based. Now get sssd and pam_afs_session working properly and work around the krb5-1.18 breakage. Did we ever go back to trying keyring again? Not sure. Of course, on several systems, we have eliminated the use of PAGs due to the aforementioned problems with systemd-login and gnome-shell stuff not working properly with PAGs. So on those, could probably switch back to keyring credentials. thanks. On Mon, Jul 11, 2022 at 11:05:33AM -0400, Ken Hornstein wrote: > >I think all we had to do, actually, was set appropriate options for > >GSSAPI in sshd_config ... and make sure it was still using PAM for the > >account and session pieces. > > Right, but do you use both keyring credential caches and PAGs? Those two > were what made things difficult for us. In my experience if the keyring > credential cache is owned by root then you can't add new credentials to > it as a vanilla user (and vice versa). > > --Ken -- David William Botsch Programmer/Analyst @CornellCNF bot...@cnf.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
I think all we had to do, actually, was set appropriate options for GSSAPI in sshd_config ... and make sure it was still using PAM for the account and session pieces. We did not have to use any stashcred or chuse stuff... our session stack looks like: session optional pam_keyinit.so revoke session required pam_limits.so -sessionoptional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_afs_session.so program=/opt/local/bin/aklog session required pam_unix.so session optional pam_sss.so (We had to recompile aklog to deal with krb5-1.18 breaking unique kerberos caches, hence pointing to the other external aklog program, which does, btw, work with the standard pam_afs_session) I believe all we did was to add the pam_afs_session line to the session stack. Thanks. On Mon, Jul 11, 2022 at 10:14:39AM -0400, Ken Hornstein wrote: > >(of course, authenticating with kerberos tickets instead of passwords is > >a tad more complicated with ssshd doing stuff, too). > > Yeah, tell me about it. This is the PAM stack we ended up with: > > session required pam_stashcred.so save > session required pam_chuser.so r2user > session required pam_afs_session.so notokens > session required pam_chuser.so r2e > session required pam_chuser.so e2user > session required pam_stashcred.so restore force-keyring > session required pam_chuser.so e2r > session required pam_afs_session.so nopag > > stashcred and chuser are PAM modules I wrote. For us the use of keyring > credential caches is non-negotiable, but the owner of the session keyring > ends up being wrong without some help. And sadly the owner of the AFS > PAG is based on the real userid, but the Kerberos credential cache owner > is based on the effective userid. So we use stashcred to save the > Kerberos credential cache internally (received via credential forwarding), > set the real userid to the value of the authenticated userid using > chuser, create the PAG with pam_afs_session so it is owned by the > authenticated user, switch things so now the effective userid is the > authenticated userid, restore the Kerberos credential cache (and force > it to be keyring and set KRB5CCNAME appropriately), switch everything > back so we're running as root again, and THEN get an AFS token. It's > a mess, but we get keyring credential caches and PAGs and it all works. > > --Ken > ___ > OpenAFS-info mailing list > OpenAFS-info@openafs.org > https://lists.openafs.org/mailman/listinfo/openafs-info -- David William Botsch Programmer/Analyst @CornellCNF bot...@cnf.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Hi all! Jeffrey pointed us in the right direction - and most useful, a reason why it failed for us. Kudos to Jeffrey, as always! Since we won't touch SSSD with a 10-yard-stick, we gave pam_afs_session.so a spin. And lo and behold: It really worked! We have the following in our password-auth: (...) authsufficientpam_krb5.so forward_pass ignore_afs=true authrequired pam_afs_session.so program=/usr/bin/aklog authrequired pam_deny.so (...) session optional pam_krb5.so ignore_afs=true session required pam_afs_session.so program=/usr/bin/aklog Still needs a bit more testing, but now AFS-Login is working and no sssd in sight ;-) Might be useful to others with a similar problem. Cheers from Cologne, Stephan On Mon, 11 Jul 2022, Dave Botsch wrote: I wanted to mention that we are successfully doing ssh and gnome-shell logins with pam_sssd where sssd takes care of authN via kerberos and via ldap provides group information, and pam_afs_session to get afs tokens. Two difficulties... if using PAGSHs, not all processes run inside a pagsh, which can break gnome-shell stuff. So not using PAGsh is recommended. and with systemd_login, it and subprocesses don't necessarily quit on logout. Which means they are sitting there banging away against afs with no tokens (if you use afs homedirs). There is an option to force systemd_login to quit at logout, though this breaks the use of things like screen and tmux, iirc. I'm happy to provide our configs (we worked with RedHat support to get sssd working properly migrating from nslcd and pam_krb5 on rhel6). thanks On Sat, Jul 09, 2022 at 10:06:06AM -0400, Ken Hornstein wrote: Only if you let sssd touch Kerberos. There are any number of reasons not to let it do so (no clue if the KRB5 and LDAP problems are fixed in later versions, but the EL8 code was written by crazed weasels on crack). But I'd use Russ' pam_krb5 instead of one from EL7 (https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html), which would probably require you use pam_afs_session as suggested (unless I'm missing something in the docs, which is very possible). I guess this explains why when everyone talks about the Kerberos issues they have on RHEL systems, I'm like ¯\_(ツ)_/¯, because we don't let sssd anywhere near Kerberos and it sounds like that's a bad idea (at least for the things we want to do). --Ken ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- David William Botsch Programmer/Analyst @CornellCNF bot...@cnf.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info Dipl. Chem. Dr. Stephan Wonczak Regionales Rechenzentrum der Universitaet zu Koeln (RRZK) Universitaet zu Koeln, Weyertal 121, 50931 Koeln Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
In our case, we use multiple kerberos domains to authenticate users. So in pam.d/password-auth... authsufficient pam_sss.so forward_pass then lets sssd take care of figuring out via an ldap lookup, which kerberos domain to authenticate the user against. (of course, authenticating with kerberos tickets instead of passwords is a tad more complicated with ssshd doing stuff, too). nsswitch is also involved for lines like: account sufficient pam_succeed_if.so user ingroup users (where the group users is populated by sssd via ldap lookup into AD) Thanks. On Mon, Jul 11, 2022 at 09:43:48AM -0400, Ken Hornstein wrote: > >I wanted to mention that we are successfully doing ssh and gnome-shell > >logins with pam_sssd where sssd takes care of authN via kerberos and via > >ldap provides group information, and pam_afs_session to get afs tokens. > > I guess _this_ is the part I'm confused about; why is pam_sss in there? > I know that other people do this so I'm sure there's a reason, but we > never found it necessary. We do use sssd, but only via nsswitch; > we control per-host access with ldap-based netgroups. > > --Ken -- David William Botsch Programmer/Analyst @CornellCNF bot...@cnf.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
I wanted to mention that we are successfully doing ssh and gnome-shell logins with pam_sssd where sssd takes care of authN via kerberos and via ldap provides group information, and pam_afs_session to get afs tokens. Two difficulties... if using PAGSHs, not all processes run inside a pagsh, which can break gnome-shell stuff. So not using PAGsh is recommended. and with systemd_login, it and subprocesses don't necessarily quit on logout. Which means they are sitting there banging away against afs with no tokens (if you use afs homedirs). There is an option to force systemd_login to quit at logout, though this breaks the use of things like screen and tmux, iirc. I'm happy to provide our configs (we worked with RedHat support to get sssd working properly migrating from nslcd and pam_krb5 on rhel6). thanks On Sat, Jul 09, 2022 at 10:06:06AM -0400, Ken Hornstein wrote: > >Only if you let sssd touch Kerberos. There are any number of reasons not > >to let it do so (no clue if the KRB5 and LDAP problems are fixed in > >later versions, but the EL8 code was written by crazed weasels on > >crack). But I'd use Russ' pam_krb5 instead of one from EL7 > >(https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html), which > >would probably require you use pam_afs_session as suggested (unless I'm > >missing something in the docs, which is very possible). > > I guess this explains why when everyone talks about the Kerberos issues > they have on RHEL systems, I'm like ¯\_(ツ)_/¯, because we don't let sssd > anywhere near Kerberos and it sounds like that's a bad idea (at least > for the things we want to do). > > --Ken > ___ > OpenAFS-info mailing list > OpenAFS-info@openafs.org > https://lists.openafs.org/mailman/listinfo/openafs-info -- David William Botsch Programmer/Analyst @CornellCNF bot...@cnf.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
reply inline On 7/11/2022 4:30 AM, Stephan Wonczak (a0...@rrz.uni-koeln.de) wrote: Hi Jeffrey, Thanks for having a look at the problem. However, I obviously did not do a very good job detailing exactly what we did ... so here's my next try. Warning: It is going to be lengthy :-) First off: We do not use SSSD. And we would like to keep it that way, since it caused various massive problems in the past. On RHEL-7, everything works perfectly. We are using the RedHat-supplied RPM of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64 The version of pam_krb5 is not the only variable that matters. As I mentioned in my earlier replies pam_krb5-2.4.8-6.el7 does not include support for rxkad-kdf which is required in order to make use of Kerberos encryption types other than des-cbc-crc for example aes256-cts-hmac-sha1-96. Without that functonality pam_krb5 only works with Kerberos v5 service tickets whose session keys are des-cbc-crc. We then took the source PRM: pam_krb5-2.4.8-6.el7.src.rpm and did a rebuild on a RHEL-8-Machine. This worked without any errors. However, when we try to use this to get a token, this happens: ... Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]: error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1) on behalf of 'a0...@rrz.uni-koeln.de': No credentials found with supported encryption types Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]: error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=2) on behalf of 'a0...@rrz.uni-koeln.de': No credentials found with supported encryption types Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]: error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=3) on behalf of 'a0...@rrz.uni-koeln.de': No credentials found with supported encryption types Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]: attempting to obtain tokens for "rrz.uni-koeln.de" ("a...@rrz.uni-koeln.de") Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]: error obtaining credentials for 'a...@rrz.uni-koeln.de' (enctype=1) on behalf of 'a0...@rrz.uni-koeln.de': No credentials found with supported encryption types Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]: error obtaining credentials for 'a...@rrz.uni-koeln.de' (enctype=2) on behalf of 'a0...@rrz.uni-koeln.de': No credentials found with supported encryption types Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]: error obtaining credentials for 'a...@rrz.uni-koeln.de' (enctype=3) on behalf of 'a0...@rrz.uni-koeln.de': No credentials found with supported encryption types ... ETYPE_DES_CBC_CRC(1) ETYPE_DES_CBC_MD4(2) ETYPE_DES_CBC_MD5(3) The pam_krb5 from rhel7 only knows how to request tickets with DES encryption types. It assumes that OpenAFS cannot support anything else because it does not have the rxkad-kdf functionality that was added to pam_krb5 post-rhel7 (Jan 4, 2016): https://github.com/frozencemetery/pam_krb5/commit/3be27655bf9d2520e776ef22ba6bb9486005fff1 To reiterate: We get both kerberos ticket and AFS-Token on RHEL-7. On RHEL-8, we still get a valid kerberos ticket, but getting the AFS-Token fails. It -is- possible, however, to get a valid AFS-Token by klog.krb5. So -in principle- everything is in place to have this done by pam_afs. The problem is: I have no way to determine why it is complaining about "no supported encryption types" when other tools have no problems at all! The answer to this is simple. The krb5 libraries included in rhel7 support DES encryption types. The krb5 libraries included with rhel8 do not. As a result, a pam_krb5 that supports rxkad-kdf is required. Additional infO. Yes, we did rekey our AFS-cell quite a while ago, and our afs-Principal has two keys: kadmin.local: getprinc afs/rrz.uni-koeln.de Principal: afs/rrz.uni-koeln...@rrz.uni-koeln.de Anzahl der Schlüssel: 2 Key: vno 5, aes256-cts-hmac-sha1-96 Key: vno 4, des-cbc-crc MKey: vno 1 Attribute: REQUIRES_PRE_AUTH Richtlinie: [keins] I hope the vno 4 des-cbc-crc key is not present on any of the rrz.uni-koeln.de servers. If it is, the servers are still vulnerable to OPENAFS-SA-2013-003 - Brute force DES attack permits compromise of AFS cell http://www.openafs.org/pages/security/#OPENAFS-SA-2013-003 Like I said before, I looked at the sources of our version of pam_krb5, and the part where it is failing starts at line 775 inside the function "minikafs_5log_with_principal" (I'll attach the minikafs.c to this mail for reference) This version of minikafs.c does not support rxkad-kdf. If you or anyone else has any ideas how to tackle the problem, any help would be greatly appreciated. Deploy a version of pam_krb5 which contains the required rxkad-kdf functionality.
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems (fwd)
(resend without attachment - original Mail did not make it to the list!) Hi Jeffrey, Thanks for having a look at the problem. However, I obviously did not do a very good job detailing exactly what we did ... so here's my next try. Warning: It is going to be lengthy :-) First off: We do not use SSSD. And we would like to keep it that way, since it caused various massive problems in the past. On RHEL-7, everything works perfectly. We are using the RedHat-supplied RPM of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64 Looking at the debug-output of the module, this is what the relevant part looks like: Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_unix(sshd:session): session opened for user by (uid=0) Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: default/local realm 'RRZ.UNI-KOELN.DE' Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: configured realm 'RRZ.UNI-KOELN.DE' Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: debug Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: don't always_allow_localname Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no ignore_afs Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no null_afs Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no cred_session Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no ignore_k5login Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: user_check Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will try previously set password first Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will ask for a password if that fails Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will let libkrb5 ask questions Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: use_shmem Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: external Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no multiple_ccaches Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: validate Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: warn Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: banner: Kerberos 5 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccache dir: /tmp Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccname template: FILE:%d/krb5cc_%U_XX Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: keytab: FILE:/etc/krb5.keytab Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: token strategy: 2b Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: removing shared memory segment 3 creator pid 3197 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: cleanup function removing shared memory segment 3 belonging to process 3197 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtaining afs tokens Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: creating new PAG Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtaining tokens for local cell 'rrz.uni-koeln.de' Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: trying with ticket (2b) Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attempting to determine realm for "rrz.uni-koeln.de" Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.67.97 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.109.81 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.109.75 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.112.8 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server 134.95.67.97 has name afs.thp.uni-koeln.de Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE" Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attempting to obtain tokens for "rrz.uni-koeln.de" ("afs/rrz.uni-koeln...@rrz.uni-koeln.de") Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: got tokens for cell "rrz.uni-koeln.de" Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: no additional afs cells configured We then took the source PRM: pam_krb5-2.4.8-6.el7.src.rpm and did a rebuild on a RHEL-8-Machine. This worked without any errors. However, when we try to use this to get a token, this happens: Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_unix(sshd:session): session opened
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
On 7/8/2022 6:57 AM, Jeffrey E Altman wrote: Use of the RHEL7 pam_krb5 on a sssd enabled system will do the wrong thing since its going to step on the toes of sssd's Kerberos ticket processing. Only if you let sssd touch Kerberos. There are any number of reasons not to let it do so (no clue if the KRB5 and LDAP problems are fixed in later versions, but the EL8 code was written by crazed weasels on crack). But I'd use Russ' pam_krb5 instead of one from EL7 (https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html), which would probably require you use pam_afs_session as suggested (unless I'm missing something in the docs, which is very possible). -- Carson ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Jeffrey E Altman: > Red Hat's pam_krb5 is not shipped nor supported for RHEL8 (or later). Ah, OK. As a non-RH user, I wasn't aware they threw it out. Thanks for clarifying. > The replacement is sssd which supports Kerberos ticket acquisition but > not AFS token acquisition. The recommendation for acquiring AFS tokens > on sssd enabled systems is to use pam_afs_session Yep, that's what I also do on my sssd-enabled (because of AD) Debian systems. Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Stephan Wonczak: > Any advice would be greatly appreciated! As Benjamin wrote: Try pam_afs_session. Should be added to the "auth" and "session" blocks of your PAM setup. https://packages.debian.org/bullseye/libpam-afs-session https://www.eyrie.org/~eagle/software/pam-afs-session HTH... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Sounds like the version of pam_krb5 you are attempting to build does not include support for rxkad-kdf. https://lists.openafs.org/pipermail/afs3-standardization/2013-July/002738.html The version of pam_krb5 that supports rxkad-kdf contains a minikafs_kd_derive() function at minikafs.c line 775. See https://github.com/frozencemetery/pam_krb5. As mentioned in my prior reply pam_krb5 should not be used in conjunction with sssd. Jeffrey Altman On 7/8/2022 8:35 AM, Stephan Wonczak (a0...@rrz.uni-koeln.de) wrote: Hi everyone! (Berthold's colleague here) We dug a little deeper and found the part in the pam_krb5-sources where it fails. It is in the file "minikafs.c" starting in line 775. It looks like the call to krb5_get_credentials() gets a non-zero return value, thus making it bail out. The problem is that we (well, at least me!) have no idea which enctype is expected, and which enctypes are actually tried. Debug output is not too helpful here. Any ideas on how to get useful information? (I should mention I am waaay out of depth here with my knowledge of Kerberos, and my C-fu is severely lacking, too ;-) ) To be absolutley clear: We can ssh-login to the machine running this pam_krb.so-module, and get a valid krb5-ticket. No AFS-token after login, thus no access to AFS. If I do "klog.krb5", I -do- get an AFS-Token without any issues, and AFS-access starts working as it should. It's maddening that only pam_krb5 complains, while other tools work out of the box. Any advice would be greatly appreciated! Stephan On Fri, 8 Jul 2022, Berthold Cogel wrote: Am 07.07.22 um 19:04 schrieb Dirk Heinrichs: Benjamin Kaduk: Are you aware of pam_afs_session (https://github.com/rra/pam-afs-session)? Without knowing more about what you're using pam_krb5 for it's hard to make specific suggestions about what alternatives might exist. BTW: pam_krb5 != pam_krb5. There are two different modules with the same name out there. The one shipped with RedHat family distributions comes with integrated AFS support, while the one shipped with Debian family distributions doesn't. That's the reason why Debian also ships pam_afs_session and RH does not. Bye... Dirk We're using the pam_krb5 shipped with Red Hat. I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it seems to work for some value of working Supported enctypes in our kdc: aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3 We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to get connections from newer Ubuntu/Debian and Fedora 35 working. We get a krb5 ticket and a login, but getting the AFS token gives errors: "error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1) on behalf of : No credentials found with supported encryption types" Same for two other enctypes. So something else changed in RHEL 8, which we haven't found yet. Regards Berthold ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info Dipl. Chem. Dr. Stephan Wonczak Regionales Rechenzentrum der Universitaet zu Koeln (RRZK) Universitaet zu Koeln, Weyertal 121, 50931 Koeln Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625 smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
On 7/7/2022 1:04 PM, Dirk Heinrichs (dirk.heinri...@altum.de) wrote: Benjamin Kaduk: Are you aware of pam_afs_session (https://github.com/rra/pam-afs-session)? Without knowing more about what you're using pam_krb5 for it's hard to make specific suggestions about what alternatives might exist. BTW: pam_krb5 != pam_krb5. There are two different modules with the same name out there. The one shipped with RedHat family distributions comes with integrated AFS support, while the one shipped with Debian family distributions doesn't. That's the reason why Debian also ships pam_afs_session and RH does not. Bye... Dirk Red Hat's pam_krb5 is not shipped nor supported for RHEL8 (or later). The replacement is sssd which supports Kerberos ticket acquisition but not AFS token acquisition. The recommendation for acquiring AFS tokens on sssd enabled systems is to use pam_afs_session https://github.com/SSSD/sssd/issues/1505 "Support/Cache OpenAFS Authentication" Use of the RHEL7 pam_krb5 on a sssd enabled system will do the wrong thing since its going to step on the toes of sssd's Kerberos ticket processing. pam-afs-session is the correct tool to use on RHEL8 and later. The pam-afs-session bundled with AuriStorFS clients is known to acquire tokens in conjunction with sssd. The primary differences between AuriStorFS pam_afs_session and Russ' are code quality improvements and use of external aklog and unlog instead of built-ins. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Hi everyone! (Berthold's colleague here) We dug a little deeper and found the part in the pam_krb5-sources where it fails. It is in the file "minikafs.c" starting in line 775. It looks like the call to krb5_get_credentials() gets a non-zero return value, thus making it bail out. The problem is that we (well, at least me!) have no idea which enctype is expected, and which enctypes are actually tried. Debug output is not too helpful here. Any ideas on how to get useful information? (I should mention I am waaay out of depth here with my knowledge of Kerberos, and my C-fu is severely lacking, too ;-) ) To be absolutley clear: We can ssh-login to the machine running this pam_krb.so-module, and get a valid krb5-ticket. No AFS-token after login, thus no access to AFS. If I do "klog.krb5", I -do- get an AFS-Token without any issues, and AFS-access starts working as it should. It's maddening that only pam_krb5 complains, while other tools work out of the box. Any advice would be greatly appreciated! Stephan On Fri, 8 Jul 2022, Berthold Cogel wrote: Am 07.07.22 um 19:04 schrieb Dirk Heinrichs: Benjamin Kaduk: Are you aware of pam_afs_session (https://github.com/rra/pam-afs-session)? Without knowing more about what you're using pam_krb5 for it's hard to make specific suggestions about what alternatives might exist. BTW: pam_krb5 != pam_krb5. There are two different modules with the same name out there. The one shipped with RedHat family distributions comes with integrated AFS support, while the one shipped with Debian family distributions doesn't. That's the reason why Debian also ships pam_afs_session and RH does not. Bye... Dirk We're using the pam_krb5 shipped with Red Hat. I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it seems to work for some value of working Supported enctypes in our kdc: aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3 We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to get connections from newer Ubuntu/Debian and Fedora 35 working. We get a krb5 ticket and a login, but getting the AFS token gives errors: "error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1) on behalf of : No credentials found with supported encryption types" Same for two other enctypes. So something else changed in RHEL 8, which we haven't found yet. Regards Berthold ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info Dipl. Chem. Dr. Stephan Wonczak Regionales Rechenzentrum der Universitaet zu Koeln (RRZK) Universitaet zu Koeln, Weyertal 121, 50931 Koeln Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Am 08.07.22 um 11:24 schrieb Berthold Cogel: We're using the pam_krb5 shipped with Red Hat. I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it seems to work for some value of working Supported enctypes in our kdc: aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3 We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to get connections from newer Ubuntu/Debian and Fedora 35 working. We get a krb5 ticket and a login, but getting the AFS token gives errors: "error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1) on behalf of : No credentials found with supported encryption types" Same for two other enctypes. So something else changed in RHEL 8, which we haven't found yet. I forgot to add, that klog.krb5 is getting a token after login... ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Am 07.07.22 um 19:04 schrieb Dirk Heinrichs: Benjamin Kaduk: Are you aware of pam_afs_session (https://github.com/rra/pam-afs-session)? Without knowing more about what you're using pam_krb5 for it's hard to make specific suggestions about what alternatives might exist. BTW: pam_krb5 != pam_krb5. There are two different modules with the same name out there. The one shipped with RedHat family distributions comes with integrated AFS support, while the one shipped with Debian family distributions doesn't. That's the reason why Debian also ships pam_afs_session and RH does not. Bye... Dirk We're using the pam_krb5 shipped with Red Hat. I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it seems to work for some value of working Supported enctypes in our kdc: aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3 We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to get connections from newer Ubuntu/Debian and Fedora 35 working. We get a krb5 ticket and a login, but getting the AFS token gives errors: "error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1) on behalf of : No credentials found with supported encryption types" Same for two other enctypes. So something else changed in RHEL 8, which we haven't found yet. Regards Berthold ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Benjamin Kaduk: > Are you aware of pam_afs_session > (https://github.com/rra/pam-afs-session)? Without knowing more about > what you're using pam_krb5 for it's hard to make specific suggestions > about what alternatives might exist. BTW: pam_krb5 != pam_krb5. There are two different modules with the same name out there. The one shipped with RedHat family distributions comes with integrated AFS support, while the one shipped with Debian family distributions doesn't. That's the reason why Debian also ships pam_afs_session and RH does not. Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
On Wed, Jun 29, 2022 at 04:02:17PM +0200, Berthold Cogel wrote: > Hello, > > we're trying to prepare our environment for the migration to RHEL 8. > > At the moment, with RHEL 7 we still have our user homes in AFS and use > pam_krb5 to get a token at login. In the long term we will migrate our > homes to NFS4 (by administrative order...), but at the moment we're not > ready to walk this way. > > The problem is, that Red Hat is forcing the usage of sssd and has > deprecated pam_krb5. But sssd doesn't support the AFS features of > pam_krb5. And for some reasons related to past experience we're not very > fond of using sssd and we're looking for alternatives. But on the other > hand, we don't have the resources to provide our own pam_krb5 package. > > So any enlightenment on how to handle this problem will be appreciated. Are you aware of pam_afs_session (https://github.com/rra/pam-afs-session)? Without knowing more about what you're using pam_krb5 for it's hard to make specific suggestions about what alternatives might exist. -Ben ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info