Help: User login problems in NFS4 + Kerberos integration

Lee Eric openlinuxsource at gmail.com
Sun Oct 16 08:20:30 EDT 2011 

Hey mate,

No. I don't use autofs here. However, I noticed a very strange
phenomemon here. In the client side I can use ksu to login by user
amy.

[root at submit ~]# kinit amy
Password for amy at HERDINGCAT.INTERNAL:
[root at submit ~]# ksu amy
Changing uid to amy (502)
[amy at submit root]$ klist
Ticket cache: FILE:/tmp/krb5cc_502.1
Default principal: amy at HERDINGCAT.INTERNAL

Valid starting     Expires            Service principal
10/16/11 02:25:54  10/17/11 02:25:44
krbtgt/HERDINGCAT.INTERNAL at HERDINGCAT.INTERNAL
renew until 10/16/11 02:25:54
10/16/11 02:26:01  10/17/11 02:25:44
afs/herdingcat.internal at HERDINGCAT.INTERNAL
renew until 10/16/11 02:25:54
[amy at submit root]$ cd ~
[amy at submit ~]$ pwd
/pool/home/amy
[amy at submit ~]$

But I don't think it makes sense to get afs TGS. In server side, I saw
following information.

Oct 16 02:25:44 server.herdingcat.internal krb5kdc[4522](info): AS_REQ
(4 etypes {18 17 16 23}) 192.168.122.17: NEEDED_PREAUTH:
amy at HERDINGCAT.INTERNAL for
krbtgt/HERDINGCAT.INTERNAL at HERDINGCAT.INTERNAL, Additional
pre-authentication required
Oct 16 02:25:54 server.herdingcat.internal krb5kdc[4522](info): AS_REQ
(4 etypes {18 17 16 23}) 192.168.122.17: ISSUE: authtime 1318746354,
etypes {rep=18 tkt=18 ses=18}, amy at HERDINGCAT.INTERNAL for
krbtgt/HERDINGCAT.INTERNAL at HERDINGCAT.INTERNAL
Oct 16 02:26:01 server.herdingcat.internal krb5kdc[4522](info):
TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318746354,
etypes {rep=18 tkt=1 ses=1}, amy at HERDINGCAT.INTERNAL for
afs/herdingcat.internal at HERDINGCAT.INTERNAL

Why it will try to get OpenAFS stuff? That really makes me confused.

Thanks.

Eric

On Sun, Oct 16, 2011 at 7:48 PM, Mehta, Rohit <rohitm at engr.uconn.edu> wrote:
> Hi eric have you configured auto.home for -t nfs4?
>
> Lee Eric <openlinuxsource at gmail.com> wrote:
>
>
> Hi all,
>
> I integrated NFS4 and Kerberos properly. However, I noticed the users
> cannot login which users' home dirs are in NFS4 shares. In my
> environment, some users are using OpenAFS, others using NFS4 as home
> dirs.
>
> Here's the client side(host name: submit) /var/log/secure partial log
> as the user amy login.
>
> Oct 16 01:59:19 submit unix_chkpwd[1272]: password check failed for user (amy)
> Oct 16 01:59:19 submit login: pam_unix(login:auth): authentication
> failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=  user=amy
>
> And here's the client side /etc/pam.d/system-auth contents.
>
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_krb5.so use_first_pass
> auth        optional      pam_afs_session.so
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
> password    sufficient    pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password    sufficient    pam_krb5.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_krb5.so
> session     required      pam_afs_session.so
>
> Here's the partial log of /var/log/krb5kdc.log in server side(host
> name: server) as user amy login.
>
> Oct 16 02:01:50 server.herdingcat.internal krb5kdc[4522](info): AS_REQ
> (4 etypes {18 17 16 23}) 192.168.122.17: NEEDED_PREAUTH:
> amy at HERDINGCAT.INTERNAL for
> krbtgt/HERDINGCAT.INTERNAL at HERDINGCAT.INTERNAL, Additional
> pre-authentication required
> Oct 16 02:01:50 server.herdingcat.internal krb5kdc[4522](info): AS_REQ
> (4 etypes {18 17 16 23}) 192.168.122.17: ISSUE: authtime 1318744910,
> etypes {rep=18 tkt=18 ses=18}, amy at HERDINGCAT.INTERNAL for
> krbtgt/HERDINGCAT.INTERNAL at HERDINGCAT.INTERNAL
> Oct 16 02:01:51 server.herdingcat.internal krb5kdc[4522](info):
> TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318744910,
> etypes {rep=18 tkt=1 ses=1}, amy at HERDINGCAT.INTERNAL for
> afs/herdingcat.internal at HERDINGCAT.INTERNAL
>
> I'm very curious why the system is going to try afs there. I have
> defined the home dirs in NFS shares.
>
> Could anyone help me to figure it out?
>
> Thanks very much.
>
> Eric
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list