Ticket cache file permission incorrect of Openafs Client in Scientific Linux 6
huangql
huangql at ihep.ac.cn
Mon Aug 26 04:17:43 EDT 2019
Dear all,
I'm stuck with the ticket cache file permission incorrect after users login farm with Pam module. In this case, users failed to run "kpasswd", "klist" command with the following error.
kpasswd: Credentials cache permissions incorrect getting principal from ccache
klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_60037_1BdT0m)
I found the error caused by the incorrect permission of ticket file(all the personal ticket file with the root uid but right gid ).
For example:
-rw------- 1 root u07 469 Jul 29 10:00 /tmp/krb5cc_60037_1BdT0m
And this issue happens in Scientific Linux 6 not in Scientific Linux 7.
I attached the pam.d configuration:
[root at lxslc613 ~]# vi /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth sufficient pam_krb5.so try_first_pass
auth optional pam_afs_session.so program=/usr/bin/aklog
auth required pam_env.so
auth sufficient pam_fprintd.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account sufficient pam_krb5.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password sufficient pam_krb5.so use_first_pass
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session required pam_unix.so
session optional pam_krb5.so
session optional pam_afs_session.so program=/usr/bin/aklog
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
~
[root at lxslc613 ~]# vi /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth sufficient pam_krb5.so try_first_pass
auth optional pam_afs_session.so program=/usr/bin/aklog
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account sufficient pam_krb5.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_krb5.so
session optional pam_afs_session.so program=/usr/bin/aklog
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Does anyone know about this issue and give me some clues? Any suggestions would be greatly appreciated. Many thanks.
Regards,
Qiulan
huangql
====================================================================
Computing center,the Institute of High Energy Physics, CAS, China
Qiulan Huang Tel: (+86) 10 8823 6087
P.O. Box 918-7 Fax: (+86) 10 8823 6839
Beijing 100049 P.R. China Email: huangql at ihep.ac.cn
===================================================================
More information about the Kerberos
mailing list