More fun with Russ' pam_krb5
Coy Hile
coy.hile at coyhile.com
Tue Mar 11 20:35:00 EDT 2008
Okay, I think I've got my pam.conf sorted, but it still seems that xscreensaver is being weird.
Here is an excerpt from pam.conf for dtlogin:
|dtlogin-SunRay auth requisite pam_authtok_get.so.1
|dtlogin-SunRay auth required pam_dhkeys.so.1 debug
|dtlogin-SunRay auth required pam_unix_cred.so.1 debug
|dtlogin-SunRay auth optional /krb5/lib/security/pam_krb5.so use_first_pass debug ccache=/tmp/krb5cc_%u_XXXXXX
|dtlogin-SunRay auth required /krb5/lib/security/pam_afs_session.so debug
|dtlogin-SunRay auth optional pam_unix_auth.so.1
which causes the following in syslog
Mar 11 20:22:55 ganymede dtlogin[22454]: [ID 584047 user.debug] (pam_krb5): none: <unknown>: entry (0x0)
Mar 11 20:22:55 ganymede dtlogin[22454]: [ID 584047 user.debug] (pam_krb5): hile: attempting authentication as hile at COYHILE.COM
Mar 11 20:22:55 ganymede dtlogin[22454]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: exit (success)
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 166327 user.debug] pam_dhkeys: user2netname failed
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 990244 auth.debug] pam_unix_cred: pam_sm_setcred(flags = 1, argc= 1)
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 990244 auth.debug] pam_unix_cred: pam_sm_setcred(flags = 1, argc= 1)
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 741634 auth.debug] pam_unix_cred: user = hile, rhost = NULL
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 741634 auth.debug] pam_unix_cred: user = hile, rhost = NULL
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 857698 auth.debug] pam_unix_cred: state = -1, auid = -2
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 857698 auth.debug] pam_unix_cred: state = -1, auid = -2
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 437940 auth.debug] pam_unix_cred: audit already set for -2
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 437940 auth.debug] pam_unix_cred: audit already set for -2
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: entry (0x1)
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 584047 user.debug] (pam_krb5): hile: initializing ticket cache /tmp/krb5cc_1000_6vaOiS
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: exit (success)
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 237248 user.debug] (pam_afs_session): <unknown>: entry (0x1)
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 237248 user.debug] (pam_afs_session): running /usr/afsws/bin/aklog as UID 1000
Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 237248 user.debug] (pam_afs_session): <unknown>: exit (success)
Now I couldn't care less what pam_unix_cred is debugging on about, but I figured I would include the whole log for completeness.
I note that the ticket cache is set up as I would expect it given my entries in pam.conf. In xscreensaver, however, the plot thickens. I've got the following in pam.conf for xscreensaver:
|xscreensaver auth requisite pam_authtok_get.so.1
|xscreensaver auth required pam_dhkeys.so.1
|xscreensaver auth optional /krb5/lib/security/pam_krb5.so use_first_pass debug ccache=/tmp/krb5cc_%u_XXXXXX
|xscreensaver auth required /krb5/lib/security/pam_afs_session.so debug
|xscreensaver auth optional pam_unix_auth.so.1
And I get the following in syslog:
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): none: <unknown>: entry (0x1)
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: attempting authentication as hile at COYHILE.COM
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: exit (success)
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: entry (0x8)
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: refreshing ticket cache /tmp/krb5cc_1000
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: exit (success)
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 237248 user.debug] (pam_afs_session): <unknown>: entry (0x8)
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 237248 user.debug] (pam_afs_session): running /usr/afsws/bin/aklog as UID 1000
Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 237248 user.debug] (pam_afs_session): <unknown>: exit (success)
Notice the ticket cache mentioned above.
What am I missing to have xscreensaver updating the wrong ticket cache?
--
Coy Hile
coy.hile at coyhile.com
"Unarmed combat is what we enter into when we have been foolish enough
not to have a weapon; careless enough to lose our weapon, or unlucky
enough to have broken our weapon"
More information about the Kerberos
mailing list