MIT K5 - AFS - Pam login problem
Derek T. Yarnell
derek at cs.umd.edu
Wed May 12 22:37:03 EDT 2004
Are you sure your KDC is running 524d? It looks like it, but from your
post you say you are not getting afs@ tickets. (BTW, you don't really
want kerberos5 version of the AFS ticket, you just want krb4 ones.
Because openafs/afs does not deal with krb5 tickets yet)
Redhat does not kerberize /bin/login, pam is kerberized, and /bin/login
just uses pam. See /etc/pam.d and /lib/security.
Do you get a AFS token? Are you using the libdefaults/pam stuff in
/etc/krb5.conf?
On Wed, May 05, 2004 at 11:10:05AM -0400, Andrew Bacchi wrote:
> I had this almost working last week, and then tried tweaking. Should
> have left well enough alone.
>
> I am not getting afs@ tickets from my K5 server, although afs tokens do
> show up in the K4 klist. It seems the tgt is being rejected by the
> kernel. It might be a Pam issue, or not. Any ideas?
>
> Also, is the RedHat /bin/login a kerberized login, I'm guessing it is,
> or do I need to symlink to login.krb5? Thanks.
>
> Syslog reports:
> alphecca sshd[11638]: pam_krb5afs: Got 110 extra bytes in v4 TGT
>
> And the console reports this weired message:
> afs: Tokens for user of AFS id XXXX for cell web.rpi.edu are discarded
> (rxkad error=19270408)
>
> klist is:
> Default principal: sam at WEB.RPI.EDU
>
> Valid starting Expires Service principal
> 05/05/04 10:53:19 05/05/04 20:53:20 krbtgt/WEB.RPI.EDU at WEB.RPI.EDU
> renew until 05/05/04 10:53:19
>
> Kerberos 4 ticket cache: /tmp/tkt65542_NNljHg
> Principal: sam at WEB.RPI.EDU
>
> Issued Expires Principal
> 05/05/04 10:53:20 05/05/04 20:53:20 krbtgt.WEB.RPI.EDU at WEB.RPI.EDU
> 05/05/04 10:53:21 05/05/04 20:53:21 afs at WEB.RPI.EDU
>
> --
> Facade: Provide a unified interface to a set of interfaces in a
> subsystem.
>
> Andrew Bacchi
> Staff Systems Programmer
> Rensselaer Polytechnic Institute
> phone: 518 276-6415 fax: 518 276-2809
>
> http://www.rpi.edu/~bacchi/
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
derek at cs.umd.edu
More information about the Kerberos
mailing list