Hey mate, No. I don't use autofs here. However, I noticed a very strange phenomemon here. In the client side I can use ksu to login by user amy.
[root@submit ~]# kinit amy Password for [email protected]: [root@submit ~]# ksu amy Changing uid to amy (502) [amy@submit root]$ klist Ticket cache: FILE:/tmp/krb5cc_502.1 Default principal: [email protected] Valid starting Expires Service principal 10/16/11 02:25:54 10/17/11 02:25:44 krbtgt/[email protected] renew until 10/16/11 02:25:54 10/16/11 02:26:01 10/17/11 02:25:44 afs/[email protected] renew until 10/16/11 02:25:54 [amy@submit root]$ cd ~ [amy@submit ~]$ pwd /pool/home/amy [amy@submit ~]$ But I don't think it makes sense to get afs TGS. In server side, I saw following information. Oct 16 02:25:44 server.herdingcat.internal krb5kdc[4522](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.122.17: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required Oct 16 02:25:54 server.herdingcat.internal krb5kdc[4522](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.122.17: ISSUE: authtime 1318746354, etypes {rep=18 tkt=18 ses=18}, [email protected] for krbtgt/[email protected] Oct 16 02:26:01 server.herdingcat.internal krb5kdc[4522](info): TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318746354, etypes {rep=18 tkt=1 ses=1}, [email protected] for afs/[email protected] Why it will try to get OpenAFS stuff? That really makes me confused. Thanks. Eric On Sun, Oct 16, 2011 at 7:48 PM, Mehta, Rohit <[email protected]> wrote: > Hi eric have you configured auto.home for -t nfs4? > > Lee Eric <[email protected]> wrote: > > > Hi all, > > I integrated NFS4 and Kerberos properly. However, I noticed the users > cannot login which users' home dirs are in NFS4 shares. In my > environment, some users are using OpenAFS, others using NFS4 as home > dirs. > > Here's the client side(host name: submit) /var/log/secure partial log > as the user amy login. > > Oct 16 01:59:19 submit unix_chkpwd[1272]: password check failed for user (amy) > Oct 16 01:59:19 submit login: pam_unix(login:auth): authentication > failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=amy > > And here's the client side /etc/pam.d/system-auth contents. > > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_krb5.so use_first_pass > auth optional pam_afs_session.so > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so sha512 shadow nullok > try_first_pass use_authtok > password sufficient pam_krb5.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_krb5.so > session required pam_afs_session.so > > Here's the partial log of /var/log/krb5kdc.log in server side(host > name: server) as user amy login. > > Oct 16 02:01:50 server.herdingcat.internal krb5kdc[4522](info): AS_REQ > (4 etypes {18 17 16 23}) 192.168.122.17: NEEDED_PREAUTH: > [email protected] for > krbtgt/[email protected], Additional > pre-authentication required > Oct 16 02:01:50 server.herdingcat.internal krb5kdc[4522](info): AS_REQ > (4 etypes {18 17 16 23}) 192.168.122.17: ISSUE: authtime 1318744910, > etypes {rep=18 tkt=18 ses=18}, [email protected] for > krbtgt/[email protected] > Oct 16 02:01:51 server.herdingcat.internal krb5kdc[4522](info): > TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318744910, > etypes {rep=18 tkt=1 ses=1}, [email protected] for > afs/[email protected] > > I'm very curious why the system is going to try afs there. I have > defined the home dirs in NFS shares. > > Could anyone help me to figure it out? > > Thanks very much. > > Eric > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
