On Tue, Oct 28, 2008 at 10:57:22AM -0500, Troy Dawson wrote: > Ahh ... the old log in with the password and not via kerberos tickets, and > don't get the credentials problem. Yes, I remember that one. > Unfortunatly, I don't remember if it was resolved ... but I'm pretty sure > there is a buzilla about this. But right at the moment, I'm pretty swamped > and am not able to find it.
Thanks, this is good enough for me for now. Just one more question: If
you refer to bugzilla, is that SL specific or the one at RH?
Regards,
Felix
> Troy
>
> Felix Engel wrote:
>> Hi Troy,
>>
>> On Tue, Oct 28, 2008 at 09:12:24AM -0500, Troy Dawson wrote:
>>> Hi,
>>> You never said which version of SL, openssh, or pam_krb5.
>> Sorry about that, I was at that point only asking for a comment on the
>> openssh bug. Anyway, here is the detailed information:
>>
>>
>> Scientific Linux SL release 5.0 (Boron)
>> Linux maximus 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 12:38:37 EDT 2008
>> x86_64 x86_64 x86_64 GNU/Linux
>> openssh-server.x86_64 4.3p2-26.el5_2.1
>> openssh.x86_64 4.3p2-26.el5_2.1
>> openssh-clients.x86_64 4.3p2-26.el5_2.1
>> pam_krb5.i386 2.2.14-1.el5_2.1
>> pam_krb5.x86_64 2.2.14-1.el5_2.1
>>
>>> For us, the problem is usually on the client, because by default, it does
>>> not delegate credentials. So in /etc/ssh/ssh_config you have to set
>>> GSSAPIDelegateCredentials yes
>>
>> The client machine is a debian etch which is not part of the kerberos
>> realm. It uses openssh-4.3p2-9etch3. Since it does not have
>> credentials, the user logs in to the SL5 server using his username and
>> password, which should trigger pam_krb5 and obtain credentials. To do
>> this we have set PasswordAuthentication no
>> UsePAM yes
>> /etc/ssh/sshd_config on the server.
>>
>> Logging on works, however the credentials are not cached. As long as
>> the users logs in via another method (ususally gdm) first, the
>> credentials are correctly forwarded via ssh and they are available.
>> Kind regards,
>> Felix
>>
>>
>> ------- SNIP Log file extracts below -----
>> /var/log/messages:
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: authentication succeeds
>> for 'engel' ([EMAIL PROTECTED])
>> Oct 28 16:25:48 maximus sshd[3406]: Accepted keyboard-interactive/pam for
>> engel from 137.226.90.33 port 45550 ssh2
>>
>>
>> /var/log/syslog:
>> Oct 28 16:25:48 maximus sshd[3408]: pam_unix(sshd:auth): authentication
>> failure;
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=angelus.iss.rwth-aachen.de
>> user=engel
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: configured realm
>> 'ISS.RWTH-A
>> ACHEN.DE'
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flags: forwardable
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no ignore_afs
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: user_check
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no krb4_convert
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: krb4_convert_524
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: krb4_use_as_req
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: will try previously set
>> pass
>> word first
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: will let libkrb5 ask
>> questio
>> ns
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no use_shmem
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no external
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: ticket lifetime: 0
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: renewable lifetime: 0
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: banner: Kerberos 5
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: ccache dir: /tmp
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: keytab:
>> FILE:/etc/krb5.keyta
>> b
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: called to authenticate
>> 'enge
>> l', realm 'ISS.RWTH-AACHEN.DE'
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: authenticating '[EMAIL
>> PROTECTED]
>> TH-AACHEN.DE'
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: trying
>> previously-entered pa
>> ssword for 'engel', allowing libkrb5 to prompt for more
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: authenticating '[EMAIL
>> PROTECTED]
>> TH-AACHEN.DE' to 'krbtgt/[EMAIL PROTECTED]'
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]:
>> krb5_get_init_creds_password
>> (krbtgt/[EMAIL PROTECTED]) returned 0 (Success)
>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: got result 0 (Success)
>> [...failing attempt to obtain v4 credentials...]
>> [...pam account services ...]
>> Oct 28 16:25:48 maximus sshd[3409]: Deprecated pam_stack module called from
>> serv
>> ice "sshd"
>> Oct 28 16:25:48 maximus sshd[3409]: pam_unix(sshd:session): session opened
>> for u
>> ser engel by (uid=0)
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: configured realm
>> 'ISS.RWTH-A
>> ACHEN.DE'
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flags: forwardable
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no ignore_afs
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: user_check
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no krb4_convert
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: krb4_convert_524
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: krb4_use_as_req
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: will try previously set
>> pass
>> word first
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: will ask for a password
>> if t
>> hat fails
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: will let libkrb5 ask
>> questio
>> ns
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no use_shmem
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no external
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: ticket lifetime: 0
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: renewable lifetime: 0
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: banner: Kerberos 5
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: ccache dir: /tmp
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: keytab:
>> FILE:/etc/krb5.keyta
>> b
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: no v5 creds for user
>> 'engel'
>> , skipping session setup
>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: pam_open_session
>> returning 0
>> (Success)
>> Oct 28 16:25:48 maximus sshd[3409]: Deprecated pam_stack module called from
>> serv
>> ice "sshd"
>
>
> --
> __________________________________________________
> Troy Dawson [EMAIL PROTECTED] (630)840-6468
> Fermilab ComputingDivision/LCSI/CSI DSS Group
> __________________________________________________
>
--
Dipl.-Ing. Felix Engel | mail: [EMAIL PROTECTED]
fon: +49 241 80 27985 | fax: +49 241 80 28306
RWTH Aachen University, SSS 611920, Templergraben 55, D-52056 Aachen
smime.p7s
Description: S/MIME cryptographic signature
