Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Hi Jeffrey, Thanks for having a look at the problem. However, I obviously did not do a very good job detailing exactly what we did ... so here's my next try. Warning: It is going to be lengthy :-) First off: We do not use SSSD. And we would like to keep it that way, since it caused various massive problems in the past. On RHEL-7, everything works perfectly. We are using the RedHat-supplied RPM of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64 Looking at the debug-output of the module, this is what the relevant part looks like: Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_unix(sshd:session): session opened for user by (uid=0) Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: default/local realm 'RRZ.UNI-KOELN.DE' Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: configured realm 'RRZ.UNI-KOELN.DE' Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: debug Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: don't always_allow_localname Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no ignore_afs Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no null_afs Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no cred_session Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no ignore_k5login Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: user_check Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will try previously set password first Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will ask for a password if that fails Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will let libkrb5 ask questions Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: use_shmem Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: external Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no multiple_ccaches Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: validate Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: warn Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: banner: Kerberos 5 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccache dir: /tmp Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccname template: FILE:%d/krb5cc_%U_XX Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: keytab: FILE:/etc/krb5.keytab Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: token strategy: 2b Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: removing shared memory segment 3 creator pid 3197 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: cleanup function removing shared memory segment 3 belonging to process 3197 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtaining afs tokens Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: creating new PAG Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtaining tokens for local cell 'rrz.uni-koeln.de' Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: trying with ticket (2b) Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attempting to determine realm for "rrz.uni-koeln.de" Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.67.97 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.109.81 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.109.75 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server for "/afs/rrz.uni-koeln.de" is 134.95.112.8 Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server 134.95.67.97 has name afs.thp.uni-koeln.de Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE" Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attempting to obtain tokens for "rrz.uni-koeln.de" ("afs/rrz.uni-koeln...@rrz.uni-koeln.de") Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: got tokens for cell "rrz.uni-koeln.de" Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: no additional afs cells configured We then took the source PRM: pam_krb5-2.4.8-6.el7.src.rpm and did a rebuild on a RHEL-8-Machine. This worked without any errors. However, when we try to use this to get a token, this happens: Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_unix(sshd:session): session opened for user a0537 by (uid=0) Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130
Re: [OpenAFS] Question for admins regarding pts membership output
On 7/14/22 5:49 AM, Dirk Heinrichs wrote: Ed Rude: I think I prefer the new behavior you are suggesting as the default. I'd prefer to have the current behavior as default, as to not break current scripts. Admins can then decide to enhance their scripts as needed instead of being forced to change them because they got broken. On the other hand, I'd prefer a diminishing number of broken scripts vs. a future of less than ideal defaults, especially if some warning is issued ahead of the change. Backwards compatibility has it's place: in the past, mostly. -- +---+ / Todd Lewis, Middleware Services,uto...@email.unc.edu / / "We is confronted with insurmountable opportunities." / / - Walt Kelly, "Pogo" / +---+
Re: [OpenAFS] Question for admins regarding pts membership output
Ed Rude: > I think I prefer the new behavior you are suggesting as the default. I'd prefer to have the current behavior as default, as to not break current scripts. Admins can then decide to enhance their scripts as needed instead of being forced to change them because they got broken. Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature