I have configure the two pam config files as proposed in http://www.gentoo.org/doc/en/openafs.xml and it seems May 23 00:50:40 oxygen su[26355]: + pts/0 root:mmokrejs May 23 00:51:08 oxygen pam_afs: AFS Authentication failed for user mmokrejs. Authentication Server was unavailable May 23 00:51:08 oxygen su(pam_unix)[26355]: session opened for user mmokrejs by (uid=0) May 23 00:51:25 oxygen su(pam_unix)[26355]: session closed for user mmokrejs Enabling debug in /etc/pam.d/su I get: May 23 01:07:48 oxygen su[26478]: Successful su for mmokrejs by root May 23 01:07:48 oxygen su[26478]: + pts/3 root:mmokrejs May 23 01:08:25 oxygen device lo left promiscuous mode May 23 01:08:28 oxygen pam_afs[26490]: AFS Options: nowarn=0, use_first_pass=0, try_first_pass=0, ignore_uid = 1, ignore_uid_id = 100, refresh_token=0, set_token=0, dont_fork=0, use_klog=0 May 23 01:08:28 oxygen pam_afs[26490]: AFS Username = `mmokrejs' May 23 01:08:28 oxygen pam_afs[26490]: AFS No first password for user mmokrejs May 23 01:08:30 oxygen pam_afs[26490]: New PAG created in pam_authenticate() May 23 01:08:30 oxygen pam_afs[26490]: forking ... May 23 01:08:30 oxygen pam_afs[26491]: in child May 23 01:08:30 oxygen pam_afs[26490]: in parent, waiting ... May 23 01:08:58 oxygen pam_afs[26491]: AFS Authentication failed for user mmokrejs. Authentication Server was unavailable May 23 01:08:58 oxygen pam_afs[26491]: child: auth_ok=0 May 23 01:08:58 oxygen pam_afs[26490]: parent: auth_ok=0 May 23 01:08:58 oxygen pam_afs[26490]: leaving auth: auth_ok=0 May 23 01:08:58 oxygen su[26490]: Successful su for mmokrejs by root May 23 01:08:58 oxygen su[26490]: + pts/2 root:mmokrejs May 23 01:08:58 oxygen pam_afs: AFS Options: nowarn=0, use_first_pass=1, try_first_pass=0, ignore_uid = 1, ignore_uid_id = 100, refresh_token=8, set_token=8, dont_fork=8, use_klog=8 May 23 01:08:58 oxygen pam_afs: AFS Establishing creds for user mmokrejs May 23 01:08:58 oxygen pam_afs: AFS Trying first password for user mmokrejs May 23 01:09:26 oxygen pam_afs: AFS Authentication failed for user mmokrejs. Authentication Server was unavailable May 23 01:09:26 oxygen su(pam_unix)[26490]: session opened for user mmokrejs by (uid=0) I think this is because the module is looking for kaserver instead of KDC from heimdal, so on wrong port. I think there was a way to set the IP and portnumber in /usr/etc/afs/krb.conf, but don't remember details. Maybe you have hit this issue already, Stefan?
(In reply to comment #0) > I have configure the two pam config files as proposed in > http://www.gentoo.org/doc/en/openafs.xml and it seems > > May 23 00:50:40 oxygen su[26355]: + pts/0 root:mmokrejs > May 23 00:51:08 oxygen pam_afs: AFS Authentication failed for user mmokrejs. > Authentication Server was unavailable > May 23 00:51:08 oxygen su(pam_unix)[26355]: session opened for user mmokrejs by > (uid=0) > May 23 00:51:25 oxygen su(pam_unix)[26355]: session closed for user mmokrejs > > > Enabling debug in /etc/pam.d/su I get: > > May 23 01:07:48 oxygen su[26478]: Successful su for mmokrejs by root > May 23 01:07:48 oxygen su[26478]: + pts/3 root:mmokrejs > May 23 01:08:25 oxygen device lo left promiscuous mode > May 23 01:08:28 oxygen pam_afs[26490]: AFS Options: nowarn=0, use_first_pass=0, > try_first_pass=0, ignore_uid = 1, ignore_uid_id = 100, refresh_token=0, > set_token=0, dont_fork=0, use_klog=0 > May 23 01:08:28 oxygen pam_afs[26490]: AFS Username = `mmokrejs' > May 23 01:08:28 oxygen pam_afs[26490]: AFS No first password for user mmokrejs > May 23 01:08:30 oxygen pam_afs[26490]: New PAG created in pam_authenticate() > May 23 01:08:30 oxygen pam_afs[26490]: forking ... > May 23 01:08:30 oxygen pam_afs[26491]: in child > May 23 01:08:30 oxygen pam_afs[26490]: in parent, waiting ... > May 23 01:08:58 oxygen pam_afs[26491]: AFS Authentication failed for user > mmokrejs. Authentication Server was unavailable > May 23 01:08:58 oxygen pam_afs[26491]: child: auth_ok=0 > May 23 01:08:58 oxygen pam_afs[26490]: parent: auth_ok=0 > May 23 01:08:58 oxygen pam_afs[26490]: leaving auth: auth_ok=0 > May 23 01:08:58 oxygen su[26490]: Successful su for mmokrejs by root > May 23 01:08:58 oxygen su[26490]: + pts/2 root:mmokrejs > May 23 01:08:58 oxygen pam_afs: AFS Options: nowarn=0, use_first_pass=1, > try_first_pass=0, ignore_uid = 1, ignore_uid_id = 100, refresh_token=8, > set_token=8, dont_fork=8, use_klog=8 > May 23 01:08:58 oxygen pam_afs: AFS Establishing creds for user mmokrejs > May 23 01:08:58 oxygen pam_afs: AFS Trying first password for user mmokrejs > May 23 01:09:26 oxygen pam_afs: AFS Authentication failed for user mmokrejs. > Authentication Server was unavailable > May 23 01:09:26 oxygen su(pam_unix)[26490]: session opened for user mmokrejs by > (uid=0) > > > I think this is because the module is looking for kaserver instead of KDC from > heimdal, so on wrong port. I think there was a way to set the IP and portnumber > in /usr/etc/afs/krb.conf, but don't remember details. Maybe you have hit this > issue already, Stefan? > If you are using Kerberos 5 auth with OpenAFS, you should be using pam_krb5 rather than pam_afs. You should use sys-auth/pam_krb5-2.2.6 (although you will have to change the DEPEND line in the ebuild, as it depends on app-crypt/mit-krb5 instead of virtual/krb5). You may also want pam-openafs-session.
I lack broad experience with heimdal, but Bryan's comment sounds sensible to me. Does this fix your problem, Martin?
So, I derived -r1 from 2.2.6 ebuild, unmasked that for ~x86 and installed that. >>> Merging sys-auth/pam_krb5-2.2.6-r1 to / --- /usr/ --- /usr/bin/ >>> /usr/bin/afs5log --- /usr/share/ --- /usr/share/man/ --- /usr/share/man/man1/ >>> /usr/share/man/man1/afs5log.1.gz --- /usr/share/man/man5/ >>> /usr/share/man/man5/pam_krb5.5.gz --- /usr/share/man/man8/ >>> /usr/share/man/man8/pam_krb5.8.gz >>> /usr/share/man/man8/pam_krb5_storetmp.8.gz --- /usr/share/doc/ >>> /usr/share/doc/pam_krb5-2.2.6-r1/ >>> /usr/share/doc/pam_krb5-2.2.6-r1/AUTHORS.gz >>> /usr/share/doc/pam_krb5-2.2.6-r1/ChangeLog.gz >>> /usr/share/doc/pam_krb5-2.2.6-r1/COPYING.gz >>> /usr/share/doc/pam_krb5-2.2.6-r1/INSTALL.gz >>> /usr/share/doc/pam_krb5-2.2.6-r1/NEWS.gz >>> /usr/share/doc/pam_krb5-2.2.6-r1/README.gz >>> /usr/share/doc/pam_krb5-2.2.6-r1/TODO.gz --- /lib/ --- /lib/security/ >>> /lib/security/pam_krb5/ >>> /lib/security/pam_krb5/pam_krb5_storetmp >>> /lib/security/pam_krb5.so >>> /lib/security/pam_krb5.la to /etc/pam.d/su I have added: auth sufficient pam_krb5.so try_first_pass and removed of course all pam_afs occurencies. That fixed my problem and after doing from rott's account: # su - mmokrejs Password: ***** mmokrejs$ klist Credentials cache: FILE:/tmp/krb5cc_1002_k2GKbN Principal: mmokrejs@FOO.BAR Issued Expires Principal May 30 17:50:27 Jun 6 17:50:27 krbtgt/FOO.BAR@FOO.BAR mmokrejs$ tokens Tokens held by the Cache Manager: User's (AFS ID 1002) tokens for afs@foo.bar [Expires Jun 6 17:50] --End of list-- mmokrejs$ While studying /var/log/messages containing the debug log of pam_krb5-2 I see it attempt krb4 request and later fallback via krb5 request and krb5 "2b" requests. It tries first to look for afs/cellname@REALM and later for afs@REALM. To users not having krb4 support compiled in nor using kaserver emulation from Heimdal's KDC I propose to set in /etc/krb5.conf: [appdefaults] ticket_lifetime = 7 days renew_lifetime = unlimited forwardable = true proxiable = true encrypt = true forward = true libkafs = { afs-use-524 = local } pam = { krb4_convert = false krb4_convert_524 = false } In /etc/pam.d/system-auth I had set: auth sufficient pam_krb5.so use_first_pass ignore_root And it seems to me I should set in the same file also: session optional pam_openafs_session.so But, I cannot find to which package that library should belong. Bryan?
OK, the module I picked up from http://packages.ubuntu.com/hoary/source/libpam-openafs-session It seems to me the name libpam-openafs-session is introduced through the patch. It should probably work but haven't tried that yet. Maybe Stefaan will make an ebuild for it faster then I get back to it. ;-)
No activity for some time. Closing.
Stefan why? Did you try at all? OK, I do not use AFS for a while anymore, I do not have the time time re-test the _current_ status. Thanks anyway. Do what you want. M.