Static ticket cache name

Techie techchavez at gmail.com
Wed Nov 10 18:44:34 EST 2010 

On Wed, Nov 10, 2010 at 4:18 PM, Russ Allbery <rra at stanford.edu> wrote:
> Techie <techchavez at gmail.com> writes:
>
>> Right I put this in the common-session file only now no more
>> common-auth.  I can indeed login with pam_krb5 but it creates the ticket
>> cache as /tmp/krb5cc_$UID_randomstring like this
>> /tmp/krb5cc_23542_Cdk2d0. which I believe is the default behavior.
>
>> So it looks like it is not honouring the pam argument I put in
>> common-session. I tried both through sshd and gnome and both use
>> common-session.  I turned on debugging by appending the debug arg to the
>> end of pam_krb5.so line in common-session but no success.  It must be
>> something simple I am missing.
>
> By "no success" in the last, do you mean that after you added debug, you
> still didn't see any log messages from pam-krb5 in your logs?  That would
> indicate that whatever files you're editing are not the files that your
> PAM configuration is actually using, or that pam_krb5.so isn't running, or
> something along those lines.
I actually do get messages as seen below but no errors unfortunately.

Nov 10 17:32:47 debtest sshd[32058]: pam_krb5(sshd:auth): user
krb_user authenticated as krb_user at EXAMPLE.COM
Nov 10 17:32:49 debtest sshd[32058]: pam_krb5(sshd:session):
pam_sm_open_session: entry (0x0)
Nov 10 17:32:49 debtest sshd[32058]: pam_krb5(sshd:session):
pam_sm_open_session: exit (success)
Nov 10 17:33:25 debtest sshd[32058]: pam_krb5(sshd:session):
pam_sm_close_session: entry (0x8000)
Nov 10 17:33:25 debtest sshd[32058]: pam_krb5(sshd:session):
pam_sm_close_session: exit (success)

Here is my common-session. i put required there after pam_krb5.so to
try and force it.

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     required	  pam_krb5.so ccache=FILE:/tmp/krb5cc_000007 debug
session     optional      pam_mount.so

Here is my krb5.conf snippet where I also define the ccache. Not sure
if this is valid. I also have KRB5CCNAME set to the same in
/etc/profile so the variable is globally set.

[libdefaults]
	default_realm = EXAMPLE.COM

	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms
	kdc_timesync = 1
	ccache_type = 4
	ccache = /tmp/krb5cc_000007
	forwardable = true
	proxiable = true



Thank you







>
> --



> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
>

More information about the Kerberos mailing list