I suspect that two instances of krb5 module need to be executed. One with use_kcminit and one without it. "use_kcminit" is placing the tickets in a cache that is only accessible from the logon session that is being created.
On 12/19/2011 2:54 PM, Derrick Brashear wrote: > yeah, that's going to be the issue; the "answer" will either be that > afs_session needs to run after the krb5 module does whichever step > writes out the creds for real, or that it will have to learn how to > raid the temp kcm cache. > > On Mon, Dec 19, 2011 at 2:46 PM, Dave Botsch <[email protected]> wrote: >> So, the culprit in part appears to be the use_kcminit option on apple's >> pam_krb5 ... this option does not appear to be in the pam_krb5 man page >> on Lion. Though, browsing source seems to indicate that this option in >> part uses some sort of temporary cache someplace to stick the tickets >> until login is completed. >> >> So, if use_kcminit is there... >> >> Credentials cache: API:502:41 >> Principal: [email protected] >> >> Issued Expires Flags Principal >> aklog: Couldn't get cnf.cornell.edu AFS tickets: >> aklog: unknown RPC error (-1765328243) while getting AFS tickets >> >> >> and if I in my login session then do a klist, I *do* see the TGT in that >> same cache. >> >> If I remove the undocumented use_kcminit: >> >> Credentials cache: API:502 >> Principal: [email protected] >> >> Issued Expires Flags Principal >> Dec 19 14:36:59 Dec 20 00:36:59 FPI >> krbtgt/[email protected] >> >> >> >> Authenticating to cell cnf.cornell.edu (server hole.cnf.cornell.edu). >> Trying to authenticate to user's realm CIT.CORNELL.EDU. >> Getting tickets: afs/[email protected] >> We've deduced that we need to authenticate to realm CNF.CORNELL.EDU. >> Getting tickets: afs/[email protected] >> Getting tickets: afs/[email protected] >> Getting tickets: [email protected] >> Using Kerberos V5 ticket natively >> About to resolve name [email protected] to id in cell >> cnf.cornell.edu. >> Id 261937 >> Set username to AFS ID 261937 >> Setting tokens. AFS ID 261937 @ cnf.cornell.edu >> >> >> What is interesting, however, is that in the login session, every other >> time, klist then shows me no tickets due to no credentials cache or does >> show me tickets. So, it would appear that after login, sometimes, the >> ticket cache goes bye bye. But, the ticket cache was there long enough >> to get tokens. >> >> Also, pam_afs_session is only being called in the pam 'auth' stack, not >> in the "session" stack. >> >> And, pam_afs_ssion doesn't work in the screensaver pam.d config: >> >> Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver): >> pam_sm_setcred: entry (0x1) >> Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver): >> running /usr/bin/aklog.sh as UID 502 >> Dec 19 14:45:53 tmp29 loginwindow[40153]: pam_afs_session(screensaver): >> cannot setuid to UID 502: Operation not permitted >> Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver): >> aklog program /usr/bin/aklog.sh returned 1 >> Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver): >> pam_sm_setcred: exit (success) >> >> >> On Mon, Dec 19, 2011 at 02:04:27PM -0500, Derrick Brashear wrote: >>> replace aklog with a shell script that outputs klist and aklog -d to a >>> file in /tmp and see what it's really doing. >>> >>> all the below tells us is kerberos failed. knowing if you have >>> tickets, etc, would be much more interesting. >>> >>> On Mon, Dec 19, 2011 at 1:00 PM, Dave Botsch <[email protected]> wrote: >>>> hi, all. >>>> >>>> So, pam-afs-session doesn't seem to work on Lion, properly with: >>>> >>>> OpenAFS 1.6.0-1-g54686 built 2011-09-02 >>>> >>>> So, I can get Kerberos tickets and run aklog to successfully get tokens >>>> at the command prompt, and all works fine. However, if I try to get >>>> tokens whilst logging in, I run into the following problem: >>>> >>>> Dec 19 10:19:57 tmp29 authorizationhost[35432]: >>>> pam_afs_session(authorization): pam_sm_setcred: entry (0x1) >>>> Dec 19 10:19:57 tmp29 authorizationhost[35432]: >>>> pam_afs_session(authorization): running /usr/bin/aklog as UID 502 >>>> Dec 19 10:19:57 tmp29 authorizationhost[35432]: >>>> pam_afs_session(authorization): aklog program /usr/bin/aklog returned 4 >>>> Dec 19 10:19:57 tmp29 authorizationhost[35432]: >>>> pam_afs_session(authorization): pam_sm_setcred: exit (success) >>>> >>>> Note that I *do* get Kerberos tickets upon logging in from the built in >>>> pam_krb5. >>>> >>>> Here's my PAM config in /etc/pam.d/authorization : >>>> >>>> # authorization: auth account >>>> auth optional pam_krb5.so use_first_pass use_kcminit >>>> default_principal >>>> auth optional pam_ntlm.so use_first_pass >>>> auth optional pam_afs_session.so nopag always_aklog debug >>>> auth required pam_opendirectory.so use_first_pass nullok >>>> account required pam_opendirectory.so >>>> session optional pam_afs_session.so nopag always_aklog debug >>>> >>>> Thanks. >>>> >>>> >>>> >>>> -- >>>> ******************************** >>>> David William Botsch >>>> Programmer/Analyst >>>> CNF Computing >>>> [email protected] >>>> ******************************** >>>> _______________________________________________ >>>> OpenAFS-info mailing list >>>> [email protected] >>>> https://lists.openafs.org/mailman/listinfo/openafs-info >>> >>> >>> >>> -- >>> Derrick >>> >> >> -- >> ******************************** >> David William Botsch >> Programmer/Analyst >> CNF Computing >> [email protected] >> ******************************** >> _______________________________________________ >> OpenAFS-info mailing list >> [email protected] >> https://lists.openafs.org/mailman/listinfo/openafs-info > > >
signature.asc
Description: OpenPGP digital signature
