[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Questions on kpam-20031001

To: heimdal-discuss@sics.se
Subject: Questions on kpam-20031001
From: Gedaliah Wolosh <gwolosh@njit.edu>
Date: Wed, 1 Oct 2003 13:47:54 -0400 (EDT)
Sender: owner-heimdal-discuss@sics.se

Hi,

I just built and installed the new kpam.so -- kpam-20031001 on a sparc
solaris 9 with heimdal 0.6, krb4-1.2.2, openafs-1.2.10.

I configured as follows --

 ./configure --enable-afs --with-krb4=/usr/athena --with-krb5=/usr/heimdal

This built with no major complaints.

My /etc/pam.conf --


#
#ident	"@(#)pam.conf	1.20	02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth sufficient		kpam.so try_first_pass afs_aquire_pag
login	auth requisite		pam_authtok_get.so.1
login	auth required		pam_dhkeys.so.1
login	auth required		pam_unix_auth.so.1
login	auth required		pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin	auth sufficient		pam_rhosts_auth.so.1
rlogin	auth requisite		pam_authtok_get.so.1
rlogin	auth required		pam_dhkeys.so.1
rlogin	auth required		pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh	auth sufficient		pam_rhosts_auth.so.1
rsh	auth required		pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp	auth requisite		pam_authtok_get.so.1
ppp	auth required		pam_dhkeys.so.1
ppp	auth required		pam_unix_auth.so.1
ppp	auth required		pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other   auth sufficient		kpam.so try_first_pass
other	auth requisite		pam_authtok_get.so.1
other	auth required		pam_dhkeys.so.1
other	auth required		pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd	auth required		pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron	account required	pam_projects.so.1
cron	account required	pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other	account requisite	pam_roles.so.1
other	account required	pam_projects.so.1
other	account required	pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other	session required	pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other	password required	pam_dhkeys.so.1
other	password requisite	pam_authtok_get.so.1
other	password requisite	pam_authtok_check.so.1
other	password required	pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin		auth optional		pam_krb5.so.1 try_first_pass
#login		auth optional		pam_krb5.so.1 try_first_pass
#other		auth optional		pam_krb5.so.1 try_first_pass
#cron		account optional 	pam_krb5.so.1
#other		account optional 	pam_krb5.so.1
#other		session optional 	pam_krb5.so.1
#other		password optional 	pam_krb5.so.1 try_first_pass


The good news is that this basically works. I get my afs token upon login
with the correct permissions.

I do not, however, get the krb4 ticket. I probably don't need it but
since I built everything for it I would have expected to get it. Kinit
does obtain the krb4 ticket.

Another concern is an error in the logs when an afs user logs out --

Oct  1 11:33:16 richter.njit.edu sshd[11070]: [ID 132535 auth.crit] afslog: failed with 2
Oct  1 11:56:11 richter.njit.edu sshd[11080]: [ID 132535 auth.crit] afslog: failed with 2
Oct  1 11:56:32 richter.njit.edu sshd[11255]: [ID 132535 auth.crit] afslog: failed with 2
Oct  1 11:56:58 richter.njit.edu sshd[11265]: [ID 132535 auth.crit] afslog: failed with 2
Oct  1 11:57:08 richter.njit.edu sshd[11277]: [ID 132535 auth.crit] afslog: failed with 2
Oct  1 12:27:03 richter.njit.edu sshd[11287]: [ID 132535 auth.crit] afslog: failed with 2
Oct  1 12:32:56 richter.njit.edu sshd[11324]: [ID 132535 auth.crit] afslog: failed with 2
Oct  1 13:23:59 richter.njit.edu sshd[11363]: [ID 132535 auth.crit] afslog: failed with 2
Oct  1 13:27:54 richter.njit.edu sshd[11382]: [ID 132535 auth.crit] afslog: failed with 2

Suggestions??

_________________________________________________________________
Gedaliah Wolosh, Ph.D.
Manager Computing Resources - CCS
New Jersey Institute of Technology	 Office 973 596-5437
323 King Blvd 	GITC 2203		 Fax    973 642-4761
Newark, NJ 07102                         Email  gwolosh@njit.edu

Follow-Ups:
- Re: Questions on kpam-20031001
  - From: Love <lha@stacken.kth.se>

Prev by Date: Re: need more explanation on krb4->krb5 conversion
Next by Date: Re: Questions on kpam-20031001
Prev by thread: Re: need more explanation on krb4->krb5 conversion
Next by thread: Re: Questions on kpam-20031001
Index(es):
- Date
- Thread