* sabah salih [2008-03-25 13:47:23 +0000]: > I installed SL43 last week with "heimdal" > > openafs-krb5-1.4.4-46.SL4 > kernel-module-openafs-2.6.9-34.EL-1.4.0-8.SL > openafs-firstboot-1.2.11-5.SL > openafs-1.4.4-46.SL4 > openafs-kpasswd-1.4.4-46.SL4 > openafs-client-1.4.4-46.SL4 > kernel-module-openafs-2.6.9-67.0.4.EL-1.4.4-46.SL4 > openafs-compat-1.4.4-46.SL4 > openafs-devel-1.4.4-46.SL4 > > heimdal-tools-0.6.3-11.SL4 > heimdal-0.6.3-11.SL4 > heimdal-devel-0.6.3-11.SL4 > heimdal-lib-0.6.3-11.SL4 > pam_heimdal-1.3-rc7.9 > > and krb5 > openafs-krb5-1.4.4-46.SL4 > pam_krb5-2.1.8-1 > krb5-devel-1.3.4-49 > krb5-workstation-1.3.4-49 > krb5-libs-1.3.4-49 > krb5-auth-dialog-0.2-1
You don't mention the version of ssh. Since we're talking about rather old software, it could be that you're rediscovering old bugs. > system-auth > > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > # > auth sufficient /lib/security/$ISA/pam_heimdalafs.so > try_first_pass > auth required /lib/security/$ISA/pam_deny.so > > account required /lib/security/$ISA/pam_unix.so > account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 > quiet > account required /lib/security/$ISA/pam_permit.so > > password requisite /lib/security/$ISA/pam_cracklib.so retry=3 > password sufficient /lib/security/$ISA/pam_unix.so nullok > use_authtok md5 shadow > # > password sufficient /lib/security/pam_heimdalafs.so > try_first_pass > password required /lib/security/$ISA/pam_deny.so > > session required /lib/security/$ISA/pam_limits.so > session required /lib/security/$ISA/pam_unix.so > # > session required /lib/security/pam_heimdalafs.so > try_first_pass Some of these modules accept the "debug" option. In particular, I would try it on the pam_heimdalafs invocations. To make sense of the results you'll need to also look at the module's source code. It looks from the version number as if this might be the sourceforge module by Balázs Gál. Back when I was using it, I had to fix a few bugs to make it work. Nowadays you'd probably be better off picking another module or two. For SL4, I know at least one site that's successfully using pam_krb5afs.so from pam_krb5-2.2.8-1.3.cern in conjunction with openssh-4.3p2-4.cern; one needs to invoke pam_krb5afs.so with "external=sshd" as an argument. > and I had no problem to login direct or via ssh > and get afs token. > > On Friday I installed another machine with openafs, > krb5 , and kernel update. but the same heimdal and > system-auth file > > with updated machine I can login direct and have > no problem. However when I try to ssh I get > disconnected and message in the log showes > > Mar 24 18:58:42 pc26 sshd[9861]: Accepted password for sabah from > ::ffff:194.36. 3.178 port 60142 ssh2 > Mar 24 18:58:42 pc26 sshd[9868]: fatal: PAM: pam_open_session(): > Authentication service cannot retrieve user credentials > > > Has anyone seen this? > Does anyone know how it could be fixed please? > > > Many Thanks, Sabah. > > -- > ********************************************************* > * From Sabah Salih * > * The School of Physics and Astronomy, * > * The University of Manchester, * > * Schuster Laboratory, * > * Brunswick Street, * > * Manchester M13 9PL. * > * Tel: +44 1612754171 or x4171 * > * E-mail: [EMAIL PROTECTED] * > * * > ********************************************************* > > > _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
