John Tang Boyland wrote:
] Russ Allbery wrote:
] > John Tang Boyland <[EMAIL PROTECTED]> writes:
] >
] >> ] It looks like you're not running pam_krb5 in the session stack. pam_krb5
] >> ] should be listed in the session stack before pam_afs_session, and that
] >> ] will probably fix the problem.
] >>
] >> (BTW: This is Sun-provided pam_krb5)
] >
] > Ah, hm. I wonder if the Sun-provided pam_krb5 won't write out the ticket
] > cache during pam_open_session the way that mine will.
] >
] > You may have to try Unix first and then try pam_krb5 so that you can put
] > pam_afs_session into the auth group. Something like:
] >
] > dtlogin auth requisite pam_authtok_get.so.1
] > dtlogin auth required pam_dhkeys.so.1
] > dtlogin auth required pam_unix_cred.so.1
] > dtlogin auth sufficient pam_unix_auth.so.1
] > dtlogin auth required pam_krb5.so.1
] > dtlogin auth required pam_afs_session.so.1
]
] I believe you are correct. As a test I built the pam_afs_session-1.5
] on Solaris 10, (sparc) using the Sun Kerberos, and OpenAFS 1.4.6
] as I have been meaning to do this for some time to see if it could
] replace pam_afs2. I then modified /etc/pam.conf to call pam_afs_session
] in a few places, (but not all yet) In all cases it is using the pam_sm_setcred
] routine to set pag and/or get a token.
]
What shows up in /var/adm/messages if the /etc/pam.conf has:
dtlogin auth requisite pam_authtok_get.so.1 debug
dtlogin auth required pam_dhkeys.so.1 debug
dtlogin auth required pam_unix_cred.so.1 debug
dtlogin auth optional pam_krb5.so.1 debug
dtlogin auth required /krb5/lib/pam_afs_session.so.1 debug
dtlogin auth optional pam_unix_auth.so.1 debug
On my system the interesting lines contain:
dtlogin[2604]: [ID 655841 user.debug] PAM-KRB5 (auth): pam_sm_authenticate
flags=0
dtlogin[2604]: [ID 549540 user.debug] PAM-KRB5 (auth): attempt_krb5_auth:
start: user='myusername'
dtlogin[2604]: [ID 179272 user.debug] PAM-KRB5 (auth): attempt_krb5_auth:
krb5_get_init_creds_password returns:
SUCCESS
dtlogin[2604]: [ID 833335 user.debug] PAM-KRB5 (auth): attempt_krb5_auth
returning 0
dtlogin[2604]: [ID 914654 user.debug] PAM-KRB5 (auth): pam_sm_auth finalize
ccname env, result =0, env ='KRB5CC
NAME=FILE:/tmp/krb5cc_1000', age = 0, status = 0
dtlogin[2604]: [ID 525286 user.debug] PAM-KRB5 (auth): end: Success
dtlogin[2619]: [ID 629253 user.debug] PAM-KRB5 (setcred): start: nowarn = 0,
flags = 0x1
dtlogin[2619]: [ID 586274 user.debug] PAM-KRB5 (setcred): kmd auth_status:
Success
dtlogin[2619]: [ID 522831 user.debug] PAM-KRB5 (setcred): attempt_refresh: set
uid of user 'myusername'
dtlogin[2619]: [ID 156909 user.debug] PAM-KRB5 (setcred): User not in cred
cache (No credentials cache file fou
nd)
(The above says it did not find the /tmp/krb5cc_1000, so had to create the file.
If there was a preexisting /tmp/krb5cc_1000 it would have "refreshed" the
creds.)
dtlogin[2619]: [ID 735350 user.debug] PAM-KRB5 (setcred): end: Success
dtlogin[2619]: [ID 237248 user.debug] (pam_afs_session): pam_sm_setcred: entry
(0x1)
dtlogin[2619]: [ID 237248 user.debug] (pam_afs_session): running
/usr/afsws/bin/aklog as UID 1000
aklog[2620]: [ID 218067 user.debug] pkcs11_softtoken: Keystore access failed.
dtlogin[2619]: [ID 237248 user.debug] (pam_afs_session): pam_sm_setcred: exit
(success)
Note that pam_krb5 with the setcred was called, and save the cache.
Then pam_afs_session was called from the setcred and called aklog that worked.
] #DEE smartcard failed, so skip it for now
] #dtlogin auth requisite pam_smartcard.so.1
] dtlogin auth requisite pam_authtok_get.so.1
] dtlogin auth required pam_dhkeys.so.1
] dtlogin auth required pam_unix_cred.so.1
] dtlogin auth optional pam_krb5.so.1
] dtlogin auth required /krb5/lib/pam_afs_session.so.1 debug
] #dtlogin auth required /krb5/lib/pam_afs2.so.1
] # allows password login
] dtlogin auth optional pam_unix_auth.so.1
]
] #
] # dtsession - lock/unlock screen, refresh creds and AFS token
] #
] dtsession auth requisite pam_authtok_get.so.1
] dtsession auth required pam_dhkeys.so.1
] dtsession auth optional pam_krb5.so.1
] dtsession auth required /krb5/lib/pam_afs_session.so.1 debug
] #dtsession auth required /krb5/lib/pam_afs2.so.1 nopag
] # allows unlock with local password
] dtsession auth optional pam_unix_auth.so.1
]
] #
] # xscreensaver used by gnome or CDE
] #
] xscreensaver auth requisite pam_authtok_get.so.1
] xscreensaver auth required pam_dhkeys.so.1
] xscreensaver auth optional pam_krb5.so.1
] xscreensaver auth required /krb5/lib/pam_afs_session.so.1 debug
] #xscreensaver auth required /krb5/lib/pam_afs2.so.1 nopag
] # allows unlock with local password
] xscreensaver auth optional pam_unix_auth.so.1
] #
]
] --
]
] Douglas E. Engert <[EMAIL PROTECTED]>
] Argonne National Laboratory
] 9700 South Cass Avenue
] Argonne, Illinois 60439
] (630) 252-5444
Sorry, I finally have time to reply to this. I tried both
suggestions but neither worked. It still writes out
the kerberos token after calling pam_afs_session.
This is specific to dtlogin, sshd does fine.
The workaround to log in twice: first in failsafe session,
immediately log out, and then log in using the normal session.
John
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
