Claudio Prono ha scritto: > Douglas E. Engert ha scritto: > >> On 10/1/2010 10:46 AM, Claudio Prono wrote: >> >>> Hello all, >>> >>> I am searching someone experienced with an openafs-client with pam, >>> kerberos and ldap. >>> >> What OS? >> >> > Is an OpenSuse 11.3 > >>> I am trying to use a single signon to a linux client with afs (shell >>> user, no local user). I have setted up pam with krb5 and afs, with this >>> configs: >>> >>> /etc/pam.d/common-auth >>> >>> auth required pam_env.so >>> auth optional pam_gnome_keyring.so >>> auth sufficient pam_unix2.so >>> auth sufficient pam_krb5.so use_first_pass >>> auth required pam_deny.so >>> >>> /etc/pam.d/common-session >>> >>> session required pam_limits.so >>> session required pam_unix2.so >>> session optional pam_krb5.so >>> session optional pam_umask.so >>> session optional pam_gnome_keyring.so auto_start >>> only_if=gdm,lxdm >>> >>> /etc/pam.d/common-password >>> >>> password requisite pam_pwcheck.so nullok cracklib >>> password optional pam_gnome_keyring.so use_authtok >>> password [default=ignore success=1] pam_succeed_if.so >>> uid> 999 quiet >>> password sufficient pam_unix2.so use_authtok nullok >>> password sufficient pam_krb5.so >>> password required pam_deny.so >>> >>> /etc/pam.d/common-account >>> >>> account requisite pam_unix2.so >>> account required pam_krb5.so use_first_pass >>> ignore_unknown_principals >>> account sufficient pam_localuser.so >>> account required pam_ldap.so use_first_pass >>> >> Are you sure you need the pam_ldap.so here? Its generally used >> only for authentication, and you are using Kerberos. >> If you have nss_ldap setup via /etc/nsswitch.conf you should >> not need pam_ldap.so. >> >> Which pam_krb5 are you using? Does it do AFS? >> If not you will also need pam_afs_sesson.so to get tokens. >> >> > I have tried to remove pam_ldap.so from common_account, but nothing > solved. Same error. This is my nss_switch.conf: > > passwd: compat > group: files ldap > shadow: files > > hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files dns > > services: files ldap > protocols: files > rpc: files > ethers: files > netmasks: files > netgroup: files ldap > publickey: files > > bootparams: files > automount: files nis ldap > aliases: files ldap > passwd_compat: ldap > > >>> If i do an id [user] on the remote machine, it works (is not a local >>> user) >>> >>> id claudio >>> uid=1003(claudio) gid=100(users) >>> groups=100(users),1000(domadm),1001(Domain Admins) >>> >>> But, when i try to login with a ldap/kerberos user, into the machine >>> logs i get this: >>> >>> Oct 1 16:48:03 linux-7w13 sshd[4192]: pam_krb5[4192]: authentication >>> succeeds for 'claudio' ([email protected]) >>> Oct 1 16:48:03 linux-7w13 sshd[4099]: error: PAM: Authentication >>> failure for claudio from 192.168.87.131 >>> >>> I don't understand...why first succeeds, and then fail? >>> >>> What is wrong? >>> >>> Any hint is welcome.. >>> >>> Cheers, >>> >>> Claudio. >>> >>> Other info can be useful: i have tried to put in debug the krb5_pam, the result in messages is this:
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: default/local realm 'MEDIASERVICE-TEST.PRI' Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: configured realm 'MEDIASERVICE-TEST.PRI' Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: debug Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flags: forwardable not proxiable Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: no ignore_afs Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: no null_afs Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: user_check Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: no krb4_convert Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: krb4_convert_524 Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: krb4_use_as_req Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: will try previously set password first Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: will let libkrb5 ask questions Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: use_shmem Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: external Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: no multiple_ccaches Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: warn Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: ticket lifetime: 86400s (1d,0h,0m,0s) Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: renewable lifetime: 86400s (1d,0h,0m,0s) Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: minimum uid: 1 Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: banner: Kerberos 5 Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: ccache dir: /tmp Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: ccname template: FILE:%d/krb5cc_%U_XXXXXX Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: keytab: FILE:/etc/krb5.keytab Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: token strategy: v4,524,2b,rxk5 Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: pam_authenticate called for 'claudio', realm 'MEDIASERVICE-TEST.PRI' Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: authenticating '[email protected]' Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: checking for externally-obtained v5 credentials Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: KRB5CCNAME is not set, none found Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: trying previously-entered password for 'claudio', allowing libkrb5 to prompt for more Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: authenticating '[email protected]' to 'krbtgt/[email protected]' Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: krb5_get_init_creds_password(krbtgt/[email protected]) returned 0 (Success) Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: got result 0 (Success) Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: saving v5 credentials to 'MEMORY:[email protected]' for internal use Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: obtaining afs tokens Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: creating new PAG Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: obtaining tokens for local cell 'mediaservice-test.pri' Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: trying with v5 ticket (2b) Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: attempting to determine realm for "mediaservice-test.pri" Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: file server for "/afs/mediaservice-test.pri" is 127.0.0.2 Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: error 0(Success) determining realm for #020 Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: attempting to obtain tokens for "mediaservice-test.pri" ("afs/[email protected]") Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: got tokens for cell "mediaservice-test.pri" Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: no additional afs cells configured Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: saving v5 credentials to 'MEMORY:[email protected]' for internal use Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: copied credentials from "MEMORY:[email protected]" to "FILE:/tmp/krb5cc_1003_bm4243" for the user, destroying "MEMORY:[email protected]" Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: created v5 ccache 'FILE:/tmp/krb5cc_1003_TXSb1v' for 'claudio' Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: krb5_kuserok() says 1 Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: removing ccache 'FILE:/tmp/krb5cc_1003_TXSb1v' Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: destroyed ccache 'FILE:/tmp/krb5cc_1003_TXSb1v' Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: '[email protected]' passes .k5login check for 'claudio' Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: saved v5 credentials to shared memory segment 196613 (creator pid 4242) Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: set '_pam_krb5_stash_claudio_MEDIASERVICE-TEST.PRI__1_shm5=196613/4242' in environment Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: authentication succeeds for 'claudio' ([email protected]) Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: pam_authenticate returning 0 (Success) Oct 1 17:32:36 linux-7w13 sshd[4234]: error: PAM: Authentication failure for claudio from 192.168.87.131 All successful, but the last PAM: Authentication failure..... What can be? Cordially, Claudio. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> > > -- -------------------------------------------------------------------------------- Claudio Prono OPST System Developer Gsm: +39-349-54.33.258 @PSS Srl Tel: +39-011-32.72.100 Via San Bernardino, 17 Fax: +39-011-32.46.497 10141 Torino - ITALY http://atpss.net/disclaimer -------------------------------------------------------------------------------- PGP Key - http://keys.atpss.net/c_prono.asc _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
