More fun with Russ' pam_krb5

Coy Hile coy.hile at coyhile.com
Tue Mar 11 20:35:00 EDT 2008 

Okay, I think I've got my pam.conf sorted, but it still seems that xscreensaver is being weird.

Here is an excerpt from pam.conf for dtlogin:

|dtlogin-SunRay  auth requisite  pam_authtok_get.so.1
|dtlogin-SunRay  auth required   pam_dhkeys.so.1 debug
|dtlogin-SunRay  auth required   pam_unix_cred.so.1 debug
|dtlogin-SunRay  auth optional   /krb5/lib/security/pam_krb5.so use_first_pass debug ccache=/tmp/krb5cc_%u_XXXXXX
|dtlogin-SunRay  auth required   /krb5/lib/security/pam_afs_session.so debug
|dtlogin-SunRay  auth optional   pam_unix_auth.so.1

which causes the following in syslog

Mar 11 20:22:55 ganymede dtlogin[22454]: [ID 584047 user.debug] (pam_krb5): none: <unknown>: entry (0x0)
Mar 11 20:22:55 ganymede dtlogin[22454]: [ID 584047 user.debug] (pam_krb5): hile: attempting authentication as hile at COYHILE.COM
Mar 11 20:22:55 ganymede dtlogin[22454]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: exit (success)
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 166327 user.debug] pam_dhkeys: user2netname failed
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 990244 auth.debug] pam_unix_cred: pam_sm_setcred(flags = 1, argc= 1)
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 990244 auth.debug] pam_unix_cred: pam_sm_setcred(flags = 1, argc= 1)
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 741634 auth.debug] pam_unix_cred: user = hile, rhost = NULL
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 741634 auth.debug] pam_unix_cred: user = hile, rhost = NULL
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 857698 auth.debug] pam_unix_cred: state = -1, auid = -2
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 857698 auth.debug] pam_unix_cred: state = -1, auid = -2
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 437940 auth.debug] pam_unix_cred: audit already set for -2
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 437940 auth.debug] pam_unix_cred: audit already set for -2
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: entry (0x1)
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 584047 user.debug] (pam_krb5): hile: initializing ticket cache /tmp/krb5cc_1000_6vaOiS
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: exit (success)
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 237248 user.debug] (pam_afs_session): <unknown>: entry (0x1)
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 237248 user.debug] (pam_afs_session): running /usr/afsws/bin/aklog as UID 1000
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 237248 user.debug] (pam_afs_session): <unknown>: exit (success)

Now I couldn't care less what pam_unix_cred is debugging on about, but I figured I would include the whole log for completeness.

I note that the ticket cache is set up as I would expect it given my entries in pam.conf.   In xscreensaver, however, the plot thickens.  I've got the following in pam.conf for xscreensaver:

|xscreensaver    auth requisite  pam_authtok_get.so.1
|xscreensaver    auth required   pam_dhkeys.so.1
|xscreensaver    auth optional   /krb5/lib/security/pam_krb5.so use_first_pass debug ccache=/tmp/krb5cc_%u_XXXXXX
|xscreensaver    auth required   /krb5/lib/security/pam_afs_session.so debug
|xscreensaver    auth optional   pam_unix_auth.so.1

And I get the following in syslog:

Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): none: <unknown>: entry (0x1)
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: attempting authentication as hile at COYHILE.COM
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: exit (success)
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: entry (0x8)
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: refreshing ticket cache /tmp/krb5cc_1000
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: exit (success)
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 237248 user.debug] (pam_afs_session): <unknown>: entry (0x8)
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 237248 user.debug] (pam_afs_session): running /usr/afsws/bin/aklog as UID 1000
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 237248 user.debug] (pam_afs_session): <unknown>: exit (success)

Notice the ticket cache mentioned above.

What am I missing to have xscreensaver updating the wrong ticket cache?


-- 
Coy Hile
coy.hile at coyhile.com
"Unarmed combat is what we enter into when we have been foolish enough
not to have a weapon; careless enough to lose our weapon, or unlucky
enough to have broken our weapon"

More information about the Kerberos mailing list