Bug 134068

(In reply to comment #0)
> I have configure the two pam config files as proposed in
> http://www.gentoo.org/doc/en/openafs.xml and it seems 
> 
> May 23 00:50:40 oxygen su[26355]: + pts/0 root:mmokrejs
> May 23 00:51:08 oxygen pam_afs: AFS Authentication failed for user mmokrejs.
> Authentication Server was unavailable
> May 23 00:51:08 oxygen su(pam_unix)[26355]: session opened for user mmokrejs by
> (uid=0)
> May 23 00:51:25 oxygen su(pam_unix)[26355]: session closed for user mmokrejs
> 
> 
> Enabling debug in /etc/pam.d/su I get:
> 
> May 23 01:07:48 oxygen su[26478]: Successful su for mmokrejs by root
> May 23 01:07:48 oxygen su[26478]: + pts/3 root:mmokrejs
> May 23 01:08:25 oxygen device lo left promiscuous mode
> May 23 01:08:28 oxygen pam_afs[26490]: AFS Options: nowarn=0, use_first_pass=0,
> try_first_pass=0, ignore_uid = 1, ignore_uid_id = 100, refresh_token=0,
> set_token=0, dont_fork=0, use_klog=0
> May 23 01:08:28 oxygen pam_afs[26490]: AFS Username = `mmokrejs'
> May 23 01:08:28 oxygen pam_afs[26490]: AFS No first password for user mmokrejs
> May 23 01:08:30 oxygen pam_afs[26490]: New PAG created in pam_authenticate()
> May 23 01:08:30 oxygen pam_afs[26490]: forking ...
> May 23 01:08:30 oxygen pam_afs[26491]: in child
> May 23 01:08:30 oxygen pam_afs[26490]: in parent, waiting ...
> May 23 01:08:58 oxygen pam_afs[26491]: AFS Authentication failed for user
> mmokrejs. Authentication Server was unavailable
> May 23 01:08:58 oxygen pam_afs[26491]: child: auth_ok=0
> May 23 01:08:58 oxygen pam_afs[26490]: parent: auth_ok=0
> May 23 01:08:58 oxygen pam_afs[26490]: leaving auth: auth_ok=0
> May 23 01:08:58 oxygen su[26490]: Successful su for mmokrejs by root
> May 23 01:08:58 oxygen su[26490]: + pts/2 root:mmokrejs
> May 23 01:08:58 oxygen pam_afs: AFS Options: nowarn=0, use_first_pass=1,
> try_first_pass=0, ignore_uid = 1, ignore_uid_id = 100, refresh_token=8,
> set_token=8, dont_fork=8, use_klog=8
> May 23 01:08:58 oxygen pam_afs: AFS Establishing creds for user mmokrejs
> May 23 01:08:58 oxygen pam_afs: AFS Trying first password for user mmokrejs
> May 23 01:09:26 oxygen pam_afs: AFS Authentication failed for user mmokrejs.
> Authentication Server was unavailable
> May 23 01:09:26 oxygen su(pam_unix)[26490]: session opened for user mmokrejs by
> (uid=0)
> 
> 
> I think this is because the module is looking for kaserver instead of KDC from
> heimdal, so on wrong port. I think there was a way to set the IP and portnumber
> in /usr/etc/afs/krb.conf, but don't remember details. Maybe you have hit this
> issue already, Stefan?
> 

If you are using Kerberos 5 auth with OpenAFS, you should be using pam_krb5 rather than pam_afs.

You should use sys-auth/pam_krb5-2.2.6 (although you will have to change the DEPEND line in the ebuild, as it depends on app-crypt/mit-krb5 instead of virtual/krb5).

You may also want pam-openafs-session.

Comment 2 Stefaan De Roeck (RETIRED) 2006-05-26 02:48:11 UTC

I lack broad experience with heimdal, but Bryan's comment sounds sensible to me. Does this fix your problem, Martin?

So, I derived -r1 from 2.2.6 ebuild, unmasked that for ~x86 and installed that.

>>> Merging sys-auth/pam_krb5-2.2.6-r1 to /
--- /usr/
--- /usr/bin/
>>> /usr/bin/afs5log
--- /usr/share/
--- /usr/share/man/
--- /usr/share/man/man1/
>>> /usr/share/man/man1/afs5log.1.gz
--- /usr/share/man/man5/
>>> /usr/share/man/man5/pam_krb5.5.gz
--- /usr/share/man/man8/
>>> /usr/share/man/man8/pam_krb5.8.gz
>>> /usr/share/man/man8/pam_krb5_storetmp.8.gz
--- /usr/share/doc/
>>> /usr/share/doc/pam_krb5-2.2.6-r1/
>>> /usr/share/doc/pam_krb5-2.2.6-r1/AUTHORS.gz
>>> /usr/share/doc/pam_krb5-2.2.6-r1/ChangeLog.gz
>>> /usr/share/doc/pam_krb5-2.2.6-r1/COPYING.gz
>>> /usr/share/doc/pam_krb5-2.2.6-r1/INSTALL.gz
>>> /usr/share/doc/pam_krb5-2.2.6-r1/NEWS.gz
>>> /usr/share/doc/pam_krb5-2.2.6-r1/README.gz
>>> /usr/share/doc/pam_krb5-2.2.6-r1/TODO.gz
--- /lib/
--- /lib/security/
>>> /lib/security/pam_krb5/
>>> /lib/security/pam_krb5/pam_krb5_storetmp
>>> /lib/security/pam_krb5.so
>>> /lib/security/pam_krb5.la


to /etc/pam.d/su I have added:
auth    sufficient      pam_krb5.so try_first_pass
and removed of course all pam_afs occurencies. That fixed my problem and after doing from rott's account:

# su - mmokrejs
Password: *****
mmokrejs$ klist
Credentials cache: FILE:/tmp/krb5cc_1002_k2GKbN
        Principal: mmokrejs@FOO.BAR

  Issued           Expires          Principal
May 30 17:50:27  Jun  6 17:50:27  krbtgt/FOO.BAR@FOO.BAR
mmokrejs$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 1002) tokens for afs@foo.bar [Expires Jun  6 17:50]
   --End of list--
mmokrejs$ 

While studying /var/log/messages containing the debug log of pam_krb5-2 I see it attempt krb4 request and later fallback via krb5 request and krb5 "2b" requests. 
It tries first to look for afs/cellname@REALM and later for afs@REALM. 

To users not having krb4 support compiled in nor using kaserver emulation from Heimdal's KDC I propose to set in /etc/krb5.conf:

[appdefaults]
        ticket_lifetime = 7 days
        renew_lifetime = unlimited
        forwardable = true
        proxiable = true
        encrypt = true
        forward = true
        libkafs = {
                afs-use-524 = local
        }
        pam = {
                krb4_convert = false
                krb4_convert_524 = false
        }



In /etc/pam.d/system-auth I had set:
auth       sufficient   pam_krb5.so use_first_pass ignore_root

And it seems to me I should set in the same file also:

session optional pam_openafs_session.so

But, I cannot find to which package that library should belong. Bryan?

OK, the module I picked up from http://packages.ubuntu.com/hoary/source/libpam-openafs-session

It seems to me the name libpam-openafs-session is introduced through the patch.
It should probably work but haven't tried that yet. Maybe Stefaan will make an ebuild for it faster then I get back to it. ;-)

Comment 5 Stefaan De Roeck (RETIRED) 2009-10-24 21:42:38 UTC

No activity for some time. Closing. 

Stefan why? Did you try at all? OK, I do not use AFS for a while anymore, I do not have the time time re-test the _current_ status. Thanks anyway. Do what you want. M.