Static ticket cache name

Techie techchavez at gmail.com
Wed Nov 10 19:03:50 EST 2010 

On Wed, Nov 10, 2010 at 4:46 PM, Russ Allbery <rra at stanford.edu> wrote:
> Techie <techchavez at gmail.com> writes:
>
>> I actually do get messages as seen below but no errors unfortunately.
>
>> Nov 10 17:32:47 debtest sshd[32058]: pam_krb5(sshd:auth): user
>> krb_user authenticated as krb_user at EXAMPLE.COM
>> Nov 10 17:32:49 debtest sshd[32058]: pam_krb5(sshd:session):
>> pam_sm_open_session: entry (0x0)
>> Nov 10 17:32:49 debtest sshd[32058]: pam_krb5(sshd:session):
>> pam_sm_open_session: exit (success)
>> Nov 10 17:33:25 debtest sshd[32058]: pam_krb5(sshd:session):
>> pam_sm_close_session: entry (0x8000)
>> Nov 10 17:33:25 debtest sshd[32058]: pam_krb5(sshd:session):
>> pam_sm_close_session: exit (success)
>
> Oh, right, setcred does this.  I misled you.  Add both the ccache option
> and the debug option to the auth stack as well, and then could you show me
> the log output from trying again?
OK one of the changes you suggested seems to have fixed the issue. I
tried testing after the changes and the ticket cache was set
correctly.
So to recap I set the ccache in the auth and session stack and I put
the ccache in the appdefaults section.

Thank you much for your help Russ

>
>> Here is my krb5.conf snippet where I also define the ccache. Not sure if
>> this is valid. I also have KRB5CCNAME set to the same in /etc/profile so
>> the variable is globally set.
>
> pam_krb5 completely ignores the existing KRB5CCNAME environment variable
> for initial authentication, since it may be inherited from the environment
> of xinetd or something else.
>
>> [libdefaults]
>>       default_realm = EXAMPLE.COM
>
>>       krb4_config = /etc/krb.conf
>>       krb4_realms = /etc/krb.realms
>>       kdc_timesync = 1
>>       ccache_type = 4
>>       ccache = /tmp/krb5cc_000007
>>       forwardable = true
>>       proxiable = true
>
> pam_krb5 only looks in [appdefaults], not in [libdefaults] (although it
> honors the options in [libdefaults] that are interpreted by the library,
> of course).
>
> --
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
>

More information about the Kerberos mailing list