Static ticket cache name
Techie
techchavez at gmail.com
Wed Nov 10 18:44:34 EST 2010
On Wed, Nov 10, 2010 at 4:18 PM, Russ Allbery <rra at stanford.edu> wrote:
> Techie <techchavez at gmail.com> writes:
>
>> Right I put this in the common-session file only now no more
>> common-auth. I can indeed login with pam_krb5 but it creates the ticket
>> cache as /tmp/krb5cc_$UID_randomstring like this
>> /tmp/krb5cc_23542_Cdk2d0. which I believe is the default behavior.
>
>> So it looks like it is not honouring the pam argument I put in
>> common-session. I tried both through sshd and gnome and both use
>> common-session. I turned on debugging by appending the debug arg to the
>> end of pam_krb5.so line in common-session but no success. It must be
>> something simple I am missing.
>
> By "no success" in the last, do you mean that after you added debug, you
> still didn't see any log messages from pam-krb5 in your logs? That would
> indicate that whatever files you're editing are not the files that your
> PAM configuration is actually using, or that pam_krb5.so isn't running, or
> something along those lines.
I actually do get messages as seen below but no errors unfortunately.
Nov 10 17:32:47 debtest sshd[32058]: pam_krb5(sshd:auth): user
krb_user authenticated as krb_user at EXAMPLE.COM
Nov 10 17:32:49 debtest sshd[32058]: pam_krb5(sshd:session):
pam_sm_open_session: entry (0x0)
Nov 10 17:32:49 debtest sshd[32058]: pam_krb5(sshd:session):
pam_sm_open_session: exit (success)
Nov 10 17:33:25 debtest sshd[32058]: pam_krb5(sshd:session):
pam_sm_close_session: entry (0x8000)
Nov 10 17:33:25 debtest sshd[32058]: pam_krb5(sshd:session):
pam_sm_close_session: exit (success)
Here is my common-session. i put required there after pam_krb5.so to
try and force it.
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session required pam_krb5.so ccache=FILE:/tmp/krb5cc_000007 debug
session optional pam_mount.so
Here is my krb5.conf snippet where I also define the ccache. Not sure
if this is valid. I also have KRB5CCNAME set to the same in
/etc/profile so the variable is globally set.
[libdefaults]
default_realm = EXAMPLE.COM
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
ccache = /tmp/krb5cc_000007
forwardable = true
proxiable = true
Thank you
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
>
More information about the Kerberos
mailing list