MIT K5 - AFS - Pam login problem

Derek T. Yarnell derek at cs.umd.edu
Wed May 12 22:37:03 EDT 2004 

Are you sure your KDC is running 524d? It looks like it, but from your
post you say you are not getting afs@ tickets. (BTW, you don't really
want kerberos5 version of the AFS ticket, you just want krb4 ones.
Because openafs/afs does not deal with krb5 tickets yet)

Redhat does not kerberize /bin/login, pam is kerberized, and /bin/login
just uses pam. See /etc/pam.d and /lib/security.

Do you get a AFS token? Are you using the libdefaults/pam stuff in
/etc/krb5.conf? 

On Wed, May 05, 2004 at 11:10:05AM -0400, Andrew Bacchi wrote:
> I had this almost working last week, and then tried tweaking.  Should
> have left well enough alone.
> 
> I am not getting afs@ tickets from my K5 server, although afs tokens do
> show up in the K4 klist.  It seems the tgt is being rejected by the
> kernel.  It might be a Pam issue, or not. Any ideas?
> 
> Also, is the RedHat /bin/login a kerberized login, I'm guessing it is,
> or do I need to symlink to login.krb5?  Thanks.
>  
> Syslog reports:
> alphecca sshd[11638]: pam_krb5afs: Got 110 extra bytes in v4 TGT
> 
> And the console reports this weired message:
> afs: Tokens for user of AFS id XXXX for cell web.rpi.edu are discarded
> (rxkad error=19270408)
> 
> klist is:
> Default principal: sam at WEB.RPI.EDU
> 
> Valid starting     Expires            Service principal
> 05/05/04 10:53:19  05/05/04 20:53:20  krbtgt/WEB.RPI.EDU at WEB.RPI.EDU
>         renew until 05/05/04 10:53:19
> 
> Kerberos 4 ticket cache: /tmp/tkt65542_NNljHg
> Principal: sam at WEB.RPI.EDU
> 
>   Issued              Expires             Principal
> 05/05/04 10:53:20  05/05/04 20:53:20  krbtgt.WEB.RPI.EDU at WEB.RPI.EDU
> 05/05/04 10:53:21  05/05/04 20:53:21  afs at WEB.RPI.EDU
> 
> -- 
> Facade: Provide a unified interface to a set of interfaces in a
> subsystem.
> 
> Andrew Bacchi
> Staff Systems Programmer
> Rensselaer Polytechnic Institute
> phone: 518 276-6415  fax: 518 276-2809
> 
> http://www.rpi.edu/~bacchi/
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
derek at cs.umd.edu

More information about the Kerberos mailing list