So, the culprit in part appears to be the use_kcminit option on apple's
pam_krb5 ... this option does not appear to be in the pam_krb5 man page
on Lion. Though, browsing source seems to indicate that this option in
part uses some sort of temporary cache someplace to stick the tickets
until login is completed.
So, if use_kcminit is there...
Credentials cache: API:502:41
Principal: [email protected]
Issued Expires Flags Principal
aklog: Couldn't get cnf.cornell.edu AFS tickets:
aklog: unknown RPC error (-1765328243) while getting AFS tickets
and if I in my login session then do a klist, I *do* see the TGT in that
same cache.
If I remove the undocumented use_kcminit:
Credentials cache: API:502
Principal: [email protected]
Issued Expires Flags Principal
Dec 19 14:36:59 Dec 20 00:36:59 FPI
krbtgt/[email protected]
Authenticating to cell cnf.cornell.edu (server hole.cnf.cornell.edu).
Trying to authenticate to user's realm CIT.CORNELL.EDU.
Getting tickets: afs/[email protected]
We've deduced that we need to authenticate to realm CNF.CORNELL.EDU.
Getting tickets: afs/[email protected]
Getting tickets: afs/[email protected]
Getting tickets: [email protected]
Using Kerberos V5 ticket natively
About to resolve name [email protected] to id in cell
cnf.cornell.edu.
Id 261937
Set username to AFS ID 261937
Setting tokens. AFS ID 261937 @ cnf.cornell.edu
What is interesting, however, is that in the login session, every other
time, klist then shows me no tickets due to no credentials cache or does
show me tickets. So, it would appear that after login, sometimes, the
ticket cache goes bye bye. But, the ticket cache was there long enough
to get tokens.
Also, pam_afs_session is only being called in the pam 'auth' stack, not
in the "session" stack.
And, pam_afs_ssion doesn't work in the screensaver pam.d config:
Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver):
pam_sm_setcred: entry (0x1)
Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver):
running /usr/bin/aklog.sh as UID 502
Dec 19 14:45:53 tmp29 loginwindow[40153]: pam_afs_session(screensaver):
cannot setuid to UID 502: Operation not permitted
Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver):
aklog program /usr/bin/aklog.sh returned 1
Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver):
pam_sm_setcred: exit (success)
On Mon, Dec 19, 2011 at 02:04:27PM -0500, Derrick Brashear wrote:
> replace aklog with a shell script that outputs klist and aklog -d to a
> file in /tmp and see what it's really doing.
>
> all the below tells us is kerberos failed. knowing if you have
> tickets, etc, would be much more interesting.
>
> On Mon, Dec 19, 2011 at 1:00 PM, Dave Botsch <[email protected]> wrote:
> > hi, all.
> >
> > So, pam-afs-session doesn't seem to work on Lion, properly with:
> >
> > OpenAFS 1.6.0-1-g54686 built 2011-09-02
> >
> > So, I can get Kerberos tickets and run aklog to successfully get tokens
> > at the command prompt, and all works fine. However, if I try to get
> > tokens whilst logging in, I run into the following problem:
> >
> > Dec 19 10:19:57 tmp29 authorizationhost[35432]:
> > pam_afs_session(authorization): pam_sm_setcred: entry (0x1)
> > Dec 19 10:19:57 tmp29 authorizationhost[35432]:
> > pam_afs_session(authorization): running /usr/bin/aklog as UID 502
> > Dec 19 10:19:57 tmp29 authorizationhost[35432]:
> > pam_afs_session(authorization): aklog program /usr/bin/aklog returned 4
> > Dec 19 10:19:57 tmp29 authorizationhost[35432]:
> > pam_afs_session(authorization): pam_sm_setcred: exit (success)
> >
> > Note that I *do* get Kerberos tickets upon logging in from the built in
> > pam_krb5.
> >
> > Here's my PAM config in /etc/pam.d/authorization :
> >
> > # authorization: auth account
> > auth optional pam_krb5.so use_first_pass use_kcminit
> > default_principal
> > auth optional pam_ntlm.so use_first_pass
> > auth optional pam_afs_session.so nopag always_aklog debug
> > auth required pam_opendirectory.so use_first_pass nullok
> > account required pam_opendirectory.so
> > session optional pam_afs_session.so nopag always_aklog debug
> >
> > Thanks.
> >
> >
> >
> > --
> > ********************************
> > David William Botsch
> > Programmer/Analyst
> > CNF Computing
> > [email protected]
> > ********************************
> > _______________________________________________
> > OpenAFS-info mailing list
> > [email protected]
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>
> --
> Derrick
>
--
********************************
David William Botsch
Programmer/Analyst
CNF Computing
[email protected]
********************************
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
