Static ticket cache name
Russ Allbery
rra at stanford.edu
Wed Nov 10 18:46:59 EST 2010
Techie <techchavez at gmail.com> writes:
> I actually do get messages as seen below but no errors unfortunately.
> Nov 10 17:32:47 debtest sshd[32058]: pam_krb5(sshd:auth): user
> krb_user authenticated as krb_user at EXAMPLE.COM
> Nov 10 17:32:49 debtest sshd[32058]: pam_krb5(sshd:session):
> pam_sm_open_session: entry (0x0)
> Nov 10 17:32:49 debtest sshd[32058]: pam_krb5(sshd:session):
> pam_sm_open_session: exit (success)
> Nov 10 17:33:25 debtest sshd[32058]: pam_krb5(sshd:session):
> pam_sm_close_session: entry (0x8000)
> Nov 10 17:33:25 debtest sshd[32058]: pam_krb5(sshd:session):
> pam_sm_close_session: exit (success)
Oh, right, setcred does this. I misled you. Add both the ccache option
and the debug option to the auth stack as well, and then could you show me
the log output from trying again?
> Here is my krb5.conf snippet where I also define the ccache. Not sure if
> this is valid. I also have KRB5CCNAME set to the same in /etc/profile so
> the variable is globally set.
pam_krb5 completely ignores the existing KRB5CCNAME environment variable
for initial authentication, since it may be inherited from the environment
of xinetd or something else.
> [libdefaults]
> default_realm = EXAMPLE.COM
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> ccache = /tmp/krb5cc_000007
> forwardable = true
> proxiable = true
pam_krb5 only looks in [appdefaults], not in [libdefaults] (although it
honors the options in [libdefaults] that are interpreted by the library,
of course).
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list