"Rong,Yongjun(CS)" wrote: > > Hi, I have another problem when I trying to run pam_krb5 and pam_gssklog > with pam_unix. > when config my dtlogin in pam.conf in solaris 9 box as below: > > dtlogin auth requisite pam_authtok_get.so.1 debug > dtlogin auth required pam_dhkeys.so.1 debug > dtlogin auth required pam_krb5.so debug forwardable realmm=TTU.EDU > use_first_pass > dtlogin auth optional pam_gssklog.so.1 debug > > The pam_gssklog is working fine and pam_sm_setcred was called. It can run > gssklog crrectly and get FAS tokens. > But if I add pam_unix_auth.so.1 before pam_krb5.so as below: > > dtlogin auth requisite pam_authtok_get.so.1 debug > dtlogin auth required pam_dhkeys.so.1 debug > dtlogin auth sufficient pam_unix_auth.so.1 debug use_first_pass > dtlogin auth required pam_krb5.so debug forwardable realmm=TTU.EDU > use_first_pass > dtlogin auth optional pam_gssklog.so.1 debug > > The pam_sm_setcred in pam_gssklog was not called. So it cannot run gssklog > to get AFS tokens. pam_sm_authenticate in pam_gssklog was called. If I > adjusted the order of the pam-unix as below: > > dtlogin auth requisite pam_authtok_get.so.1 debug > dtlogin auth required pam_dhkeys.so.1 debug > dtlogin auth optional pam_krb5.so debug forwardable realmm=TTU.EDU > use_first_pass > dtlogin auth sufficient pam_gssklog.so.1 debug > dtlogin auth required pam_unix_auth.so.1 debug use_first_pass > > It still has the same result. pam_sm_setcred was not called.
This looks like it is a PAM config problem. On Solaris 9 I would try: dtlogin auth requisite pam_authtok_get.so.1 debug dtlogin auth required pam_dhkeys.so.1 debug dtlogin auth sufficient pam_krb5.so debug forwardable realmm=TTU.EDU dtlogin auth optional pam_gssklog.so.1 debug dtlogin auth required pam_unix_auth.so.1 debug use_first_pass And if this does not work, try required for the gssklog > > What I want is just combine the general Unix authication with the kerberos > authication. When one authentication is failed, the system will try another > one. If one is successed, it will pass. > Another qestion: Is it possible to move gssklog running to > pam_sm_open_session like pam_openafs_session for aklog? You would have to make some changes to the code to support the session code. In effect the pam_gssklog is trying to find the Kerberos ticket cache and call gssklog. Depending on how important it is to have a token during the rest of the PAM processing, you might be able to call it later. The other option is have the pam_krb5 call gssklog_pag_klog. P.S. Your examples above use "realmm" should that be "realm"? > > Any suggestions? Thanks. > Rong > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Rong,Yongjun(CS) > Sent: Tuesday, June 15, 2004 4:36 PM > To: [EMAIL PROTECTED]; Douglas E. Engert > Cc: [EMAIL PROTECTED] > Subject: Solutions RE: [OpenAFS-devel] pam_gssklog on solaris9 > > Hi, > I have figured out the problem. For solaris, I added "#define > TARGET_ARCH_SOLARIS" and change gssklog_exec = "/usr/bin/gssklog" in > gssklog_pag_klog.c and recompile pam_gssklog.so.1. Then it works. PLS make > sure the gssklog_exec is the path to your gssklog file, not the directory. > That's all. > Thanks again for everyone's help. > Rong > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] > Sent: Monday, June 14, 2004 8:57 PM > To: Douglas E. Engert > Cc: [EMAIL PROTECTED] > Subject: Re: [OpenAFS-devel] pam_gssklog on solaris9 > > I have changed it to /usr/bin and recompiled it. I put my gssklog in > /usr/bin. But it still has the same error. I can run it manully without > any problem. The env has correct krb5 ticket cache file. > > > > > > "Rong,Yongjun(CS)" wrote: > > > >> Hi, > >> The execle(gssklog_exec, "gssklog","-silent",0,env) in > >> gssklog_pag_klog > >> has benn called. But it returns errno= 13 which means permission denied. > >> I > >> have checked the permission of the gssklog and pam_gssklog.so.1. All are > >> 755. I can run gssklog manully via command line. But the pam_gssklog.so > >> cannot call gssklog via execle. > > > > gssklog_exec is the path of the gssklog. It defaults to /krb5/bin/gssklog > > If this is not the location, you will have to recompile or move it. Its on > > my to-do list > > to make this a parameter. (actually replace the gssklog_pag_klog.c with > > the > > routines used by ssh.) > > > >> > >> Anyone has any suggestions? > >> Thanks. > >> Rong > >> > >> -----Original Message----- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] Behalf Of Rong,Yongjun(CS) > >> Sent: Monday, June 14, 2004 2:35 PM > >> To: [EMAIL PROTECTED] > >> Subject: RE: [OpenAFS-devel] pam_gssklog on solaris9 > >> > >> I have got the pam_sm_setcred called when a user login. But pam_gss_klog > >> seems cannot call gssklog_pag_klog function. > >> I got below debug information before gssklog_pag_klog be called: > >> Jun 14 14:26:27 tset dtlogin[7216]: [ID 868606 user.debug] pam_gssklog: > >> env=KRB5CCNAME=FILE:/tmp/krb5cc_2079_X7aago > >> Jun 14 14:26:27 tset dtlogin[7216]: [ID 868606 user.debug] pam_gssklog: > >> set_pag=1 > >> > >> I have checked the /tmp/krb5cc_2079_X7aago is correct. But it seems > >> gssklog_pag_klog is not called even there is a function call from > >> pam_gssklog as below: > >> gssklog_pag_klog(set_pag, env); > >> I have put some debug inside the hssklog_pag_klog.c, but no any > >> information > >> was print. > >> Thanks for your suggestions. > >> Rong > >> > >> -----Original Message----- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] Behalf Of Rong,Yongjun(CS) > >> Sent: Thursday, June 10, 2004 5:02 PM > >> To: Rong,Yongjun(CS); [EMAIL PROTECTED] > >> Subject: RE: [OpenAFS-devel] pam_gssklog on solaris9 > >> > >> I have got pam_sm_setcred called by PAM framework after I changed my > >> pam.conf as below: > >> dtlogin auth requisite pam_authtok_get.so.1 debug > >> #dtlogin auth required pam_dhkeys.so.1 debug > >> #dtlogin auth sufficient pam_unix_auth.so.1 debug use_first_pass > >> dtlogin auth required pam_krb5.so debug forwardable > >> realmm=TTU.EDU > >> use_first_pass > >> dtlogin auth required pam_gssklog.so.1 debug > >> > >> -----Original Message----- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] Behalf Of Rong,Yongjun(CS) > >> Sent: Thursday, June 10, 2004 3:51 PM > >> To: [EMAIL PROTECTED] > >> Subject: [OpenAFS-devel] pam_gssklog on solaris9 > >> > >> Hi, All, > >> I have another problem for the pam_gssklog. It seems the > >> pam_sm_setcred > >> cannot be called during the process of login. My pam.conf for dtlogin is > >> as > >> below: > >> > >> dtlogin auth requisite pam_authtok_get.so.1 debug > >> dtlogin auth required pam_dhkeys.so.1 debug > >> dtlogin auth sufficient pam_unix_auth.so.1 debug use_first_pass > >> dtlogin auth optional pam_krb5.so debug forwardable > >> realmm=TTU.EDU > >> use_first_pass > >> dtlogin auth optional pam_gssklog.so.1 debug > >> > >> pam_kr5b.so is work fine. After the user login, I can klist the tickets. > >> But > >> the pam_gssklog is not work well. From the debug information, the > >> pam_sm_setcred is not be called. > >> Any suggestions, Thanks in advanced. > >> Rong > >> > >> _______________________________________________ > >> OpenAFS-devel mailing list > >> [EMAIL PROTECTED] > >> https://lists.openafs.org/mailman/listinfo/openafs-devel > >> > >> _______________________________________________ > >> OpenAFS-devel mailing list > >> [EMAIL PROTECTED] > >> https://lists.openafs.org/mailman/listinfo/openafs-devel > >> > >> _______________________________________________ > >> OpenAFS-devel mailing list > >> [EMAIL PROTECTED] > >> https://lists.openafs.org/mailman/listinfo/openafs-devel > >> > >> _______________________________________________ > >> OpenAFS-devel mailing list > >> [EMAIL PROTECTED] > >> https://lists.openafs.org/mailman/listinfo/openafs-devel > > > > -- > > > > Douglas E. Engert <[EMAIL PROTECTED]> > > Argonne National Laboratory > > 9700 South Cass Avenue > > Argonne, Illinois 60439 > > (630) 252-5444 > > > > > > _______________________________________________ > > OpenAFS-devel mailing list > > [EMAIL PROTECTED] > > https://lists.openafs.org/mailman/listinfo/openafs-devel > > > > _______________________________________________ > OpenAFS-devel mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-devel > > _______________________________________________ > OpenAFS-devel mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-devel -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
