Ticket cache file permission incorrect of Openafs Client in Scientific Linux 6

huangql huangql at ihep.ac.cn
Mon Aug 26 04:17:43 EDT 2019 

Dear all,

I'm stuck with the ticket cache file permission incorrect  after users login farm with Pam module.  In this case, users failed to run "kpasswd", "klist" command with the following error.

kpasswd: Credentials cache permissions incorrect getting principal from ccache

klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_60037_1BdT0m)


I found the error caused by the incorrect permission of ticket file(all the personal ticket file with the root uid but right gid ).

For example:

-rw------- 1 root u07 469 Jul 29 10:00 /tmp/krb5cc_60037_1BdT0m

And this issue happens in Scientific Linux 6 not in Scientific Linux 7.

I attached the pam.d configuration:


[root at lxslc613 ~]# vi /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        sufficient    pam_krb5.so try_first_pass
auth        optional      pam_afs_session.so program=/usr/bin/aklog
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     sufficient    pam_krb5.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    sufficient    pam_krb5.so          use_first_pass
password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     required      pam_unix.so
session     optional      pam_krb5.so
session     optional      pam_afs_session.so   program=/usr/bin/aklog
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
~


[root at lxslc613 ~]# vi /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        sufficient    pam_krb5.so try_first_pass
auth        optional      pam_afs_session.so program=/usr/bin/aklog

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     sufficient    pam_krb5.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_krb5.so
session     optional      pam_afs_session.so   program=/usr/bin/aklog
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so


Does anyone know about this issue and give me some clues? Any suggestions would be greatly appreciated. Many thanks.

Regards,
Qiulan


huangql
====================================================================
Computing center,the Institute of High Energy Physics, CAS, China
Qiulan Huang                       Tel: (+86) 10 8823 6087
P.O. Box 918-7                       Fax: (+86) 10 8823 6839
Beijing 100049  P.R. China           Email: huangql at ihep.ac.cn
===================================================================

More information about the Kerberos mailing list