Felix Engel wrote:
> On Tue, Oct 28, 2008 at 10:57:22AM -0500, Troy Dawson wrote:
>> Ahh ... the old log in with the password and not via kerberos tickets, and
>> don't get the credentials problem. Yes, I remember that one.
>> Unfortunatly, I don't remember if it was resolved ... but I'm pretty sure
>> there is a buzilla about this. But right at the moment, I'm pretty swamped
>> and am not able to find it.
>
> Thanks, this is good enough for me for now. Just one more question: If
> you refer to bugzilla, is that SL specific or the one at RH?
>
RedHat's.
I'm quite certain this is one of their bugs.
Troy
> Regards,
> Felix
>
>> Troy
>>
>> Felix Engel wrote:
>>> Hi Troy,
>>>
>>> On Tue, Oct 28, 2008 at 09:12:24AM -0500, Troy Dawson wrote:
>>>> Hi,
>>>> You never said which version of SL, openssh, or pam_krb5.
>>> Sorry about that, I was at that point only asking for a comment on the
>>> openssh bug. Anyway, here is the detailed information:
>>>
>>>
>>> Scientific Linux SL release 5.0 (Boron)
>>> Linux maximus 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 12:38:37 EDT 2008
>>> x86_64 x86_64 x86_64 GNU/Linux
>>> openssh-server.x86_64 4.3p2-26.el5_2.1
>>> openssh.x86_64 4.3p2-26.el5_2.1
>>> openssh-clients.x86_64 4.3p2-26.el5_2.1
>>> pam_krb5.i386 2.2.14-1.el5_2.1
>>> pam_krb5.x86_64 2.2.14-1.el5_2.1
>>>
>>>> For us, the problem is usually on the client, because by default, it does
>>>> not delegate credentials. So in /etc/ssh/ssh_config you have to set
>>>> GSSAPIDelegateCredentials yes
>>> The client machine is a debian etch which is not part of the kerberos
>>> realm. It uses openssh-4.3p2-9etch3. Since it does not have
>>> credentials, the user logs in to the SL5 server using his username and
>>> password, which should trigger pam_krb5 and obtain credentials. To do
>>> this we have set PasswordAuthentication no
>>> UsePAM yes
>>> /etc/ssh/sshd_config on the server.
>>>
>>> Logging on works, however the credentials are not cached. As long as
>>> the users logs in via another method (ususally gdm) first, the
>>> credentials are correctly forwarded via ssh and they are available.
>>> Kind regards,
>>> Felix
>>>
>>>
>>> ------- SNIP Log file extracts below -----
>>> /var/log/messages:
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: authentication succeeds for 'engel' ([log in to unmask])
>>> Oct 28 16:25:48 maximus sshd[3406]: Accepted keyboard-interactive/pam for engel from 137.226.90.33 port 45550 ssh2
>>>
>>>
>>> /var/log/syslog:
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_unix(sshd:auth): authentication failure;
>>> logname= uid=0 euid=0 tty=ssh ruser= rhost=angelus.iss.rwth-aachen.de user=engel
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: configured realm 'ISS.RWTH-A
>>> ACHEN.DE'
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flags: forwardable
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no ignore_afs
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: user_check
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no krb4_convert
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: krb4_convert_524
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: krb4_use_as_req
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: will try previously set pass
>>> word first
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: will let libkrb5 ask questio
>>> ns
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no use_shmem
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no external
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: ticket lifetime: 0
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: renewable lifetime: 0
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: banner: Kerberos 5
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: ccache dir: /tmp
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: keytab: FILE:/etc/krb5.keyta
>>> b
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: called to authenticate 'enge
>>> l', realm 'ISS.RWTH-AACHEN.DE'
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: authenticating [log in to unmask]
>>> TH-AACHEN.DE'
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: trying previously-entered pa
>>> ssword for 'engel', allowing libkrb5 to prompt for more
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: authenticating [log in to unmask]
>>> TH-AACHEN.DE' to [log in to unmask]
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: krb5_get_init_creds_password
>>> ([log in to unmask]) returned 0 (Success)
>>> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: got result 0 (Success)
>>> [...failing attempt to obtain v4 credentials...]
>>> [...pam account services ...]
>>> Oct 28 16:25:48 maximus sshd[3409]: Deprecated pam_stack module called from serv
>>> ice "sshd"
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_unix(sshd:session): session opened for u
>>> ser engel by (uid=0)
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: configured realm 'ISS.RWTH-A
>>> ACHEN.DE'
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flags: forwardable
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no ignore_afs
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: user_check
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no krb4_convert
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: krb4_convert_524
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: krb4_use_as_req
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: will try previously set pass
>>> word first
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: will ask for a password if t
>>> hat fails
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: will let libkrb5 ask questio
>>> ns
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no use_shmem
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no external
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: ticket lifetime: 0
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: renewable lifetime: 0
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: banner: Kerberos 5
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: ccache dir: /tmp
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: keytab: FILE:/etc/krb5.keyta
>>> b
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: no v5 creds for user 'engel'
>>> , skipping session setup
>>> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: pam_open_session returning 0
>>> (Success)
>>> Oct 28 16:25:48 maximus sshd[3409]: Deprecated pam_stack module called from serv
>>> ice "sshd"
>>
>> --
>> __________________________________________________
>> Troy Dawson [log in to unmask] (630)840-6468
>> Fermilab ComputingDivision/LCSI/CSI DSS Group
>> __________________________________________________
>>
>
--
__________________________________________________
Troy Dawson [log in to unmask] (630)840-6468
Fermilab ComputingDivision/LCSI/CSI DSS Group
__________________________________________________
|