yeah, that's going to be the issue; the "answer" will either be that afs_session needs to run after the krb5 module does whichever step writes out the creds for real, or that it will have to learn how to raid the temp kcm cache.
On Mon, Dec 19, 2011 at 2:46 PM, Dave Botsch <[email protected]> wrote: > So, the culprit in part appears to be the use_kcminit option on apple's > pam_krb5 ... this option does not appear to be in the pam_krb5 man page > on Lion. Though, browsing source seems to indicate that this option in > part uses some sort of temporary cache someplace to stick the tickets > until login is completed. > > So, if use_kcminit is there... > > Credentials cache: API:502:41 > Principal: [email protected] > > Issued Expires Flags Principal > aklog: Couldn't get cnf.cornell.edu AFS tickets: > aklog: unknown RPC error (-1765328243) while getting AFS tickets > > > and if I in my login session then do a klist, I *do* see the TGT in that > same cache. > > If I remove the undocumented use_kcminit: > > Credentials cache: API:502 > Principal: [email protected] > > Issued Expires Flags Principal > Dec 19 14:36:59 Dec 20 00:36:59 FPI > krbtgt/[email protected] > > > > Authenticating to cell cnf.cornell.edu (server hole.cnf.cornell.edu). > Trying to authenticate to user's realm CIT.CORNELL.EDU. > Getting tickets: afs/[email protected] > We've deduced that we need to authenticate to realm CNF.CORNELL.EDU. > Getting tickets: afs/[email protected] > Getting tickets: afs/[email protected] > Getting tickets: [email protected] > Using Kerberos V5 ticket natively > About to resolve name [email protected] to id in cell > cnf.cornell.edu. > Id 261937 > Set username to AFS ID 261937 > Setting tokens. AFS ID 261937 @ cnf.cornell.edu > > > What is interesting, however, is that in the login session, every other > time, klist then shows me no tickets due to no credentials cache or does > show me tickets. So, it would appear that after login, sometimes, the > ticket cache goes bye bye. But, the ticket cache was there long enough > to get tokens. > > Also, pam_afs_session is only being called in the pam 'auth' stack, not > in the "session" stack. > > And, pam_afs_ssion doesn't work in the screensaver pam.d config: > > Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver): > pam_sm_setcred: entry (0x1) > Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver): > running /usr/bin/aklog.sh as UID 502 > Dec 19 14:45:53 tmp29 loginwindow[40153]: pam_afs_session(screensaver): > cannot setuid to UID 502: Operation not permitted > Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver): > aklog program /usr/bin/aklog.sh returned 1 > Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver): > pam_sm_setcred: exit (success) > > > On Mon, Dec 19, 2011 at 02:04:27PM -0500, Derrick Brashear wrote: >> replace aklog with a shell script that outputs klist and aklog -d to a >> file in /tmp and see what it's really doing. >> >> all the below tells us is kerberos failed. knowing if you have >> tickets, etc, would be much more interesting. >> >> On Mon, Dec 19, 2011 at 1:00 PM, Dave Botsch <[email protected]> wrote: >> > hi, all. >> > >> > So, pam-afs-session doesn't seem to work on Lion, properly with: >> > >> > OpenAFS 1.6.0-1-g54686 built 2011-09-02 >> > >> > So, I can get Kerberos tickets and run aklog to successfully get tokens >> > at the command prompt, and all works fine. However, if I try to get >> > tokens whilst logging in, I run into the following problem: >> > >> > Dec 19 10:19:57 tmp29 authorizationhost[35432]: >> > pam_afs_session(authorization): pam_sm_setcred: entry (0x1) >> > Dec 19 10:19:57 tmp29 authorizationhost[35432]: >> > pam_afs_session(authorization): running /usr/bin/aklog as UID 502 >> > Dec 19 10:19:57 tmp29 authorizationhost[35432]: >> > pam_afs_session(authorization): aklog program /usr/bin/aklog returned 4 >> > Dec 19 10:19:57 tmp29 authorizationhost[35432]: >> > pam_afs_session(authorization): pam_sm_setcred: exit (success) >> > >> > Note that I *do* get Kerberos tickets upon logging in from the built in >> > pam_krb5. >> > >> > Here's my PAM config in /etc/pam.d/authorization : >> > >> > # authorization: auth account >> > auth optional pam_krb5.so use_first_pass use_kcminit >> > default_principal >> > auth optional pam_ntlm.so use_first_pass >> > auth optional pam_afs_session.so nopag always_aklog debug >> > auth required pam_opendirectory.so use_first_pass nullok >> > account required pam_opendirectory.so >> > session optional pam_afs_session.so nopag always_aklog debug >> > >> > Thanks. >> > >> > >> > >> > -- >> > ******************************** >> > David William Botsch >> > Programmer/Analyst >> > CNF Computing >> > [email protected] >> > ******************************** >> > _______________________________________________ >> > OpenAFS-info mailing list >> > [email protected] >> > https://lists.openafs.org/mailman/listinfo/openafs-info >> >> >> >> -- >> Derrick >> > > -- > ******************************** > David William Botsch > Programmer/Analyst > CNF Computing > [email protected] > ******************************** > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info -- Derrick _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
