Help: User login problems in NFS4 + Kerberos integration

Lee Eric openlinuxsource at gmail.com
Sun Oct 16 07:32:28 EDT 2011 

Hi all,

I integrated NFS4 and Kerberos properly. However, I noticed the users
cannot login which users' home dirs are in NFS4 shares. In my
environment, some users are using OpenAFS, others using NFS4 as home
dirs.

Here's the client side(host name: submit) /var/log/secure partial log
as the user amy login.

Oct 16 01:59:19 submit unix_chkpwd[1272]: password check failed for user (amy)
Oct 16 01:59:19 submit login: pam_unix(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=  user=amy

And here's the client side /etc/pam.d/system-auth contents.

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        optional      pam_afs_session.so
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     required      pam_afs_session.so

Here's the partial log of /var/log/krb5kdc.log in server side(host
name: server) as user amy login.

Oct 16 02:01:50 server.herdingcat.internal krb5kdc[4522](info): AS_REQ
(4 etypes {18 17 16 23}) 192.168.122.17: NEEDED_PREAUTH:
amy at HERDINGCAT.INTERNAL for
krbtgt/HERDINGCAT.INTERNAL at HERDINGCAT.INTERNAL, Additional
pre-authentication required
Oct 16 02:01:50 server.herdingcat.internal krb5kdc[4522](info): AS_REQ
(4 etypes {18 17 16 23}) 192.168.122.17: ISSUE: authtime 1318744910,
etypes {rep=18 tkt=18 ses=18}, amy at HERDINGCAT.INTERNAL for
krbtgt/HERDINGCAT.INTERNAL at HERDINGCAT.INTERNAL
Oct 16 02:01:51 server.herdingcat.internal krb5kdc[4522](info):
TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318744910,
etypes {rep=18 tkt=1 ses=1}, amy at HERDINGCAT.INTERNAL for
afs/herdingcat.internal at HERDINGCAT.INTERNAL

I'm very curious why the system is going to try afs there. I have
defined the home dirs in NFS shares.

Could anyone help me to figure it out?

Thanks very much.

Eric

More information about the Kerberos mailing list