Turbo Fredriksson <[EMAIL PROTECTED]> writes: > Package: libpam-krb5 > Version: 1.2.0-3.TF.1
> When using libpam-krb5 in 'auth' and 'session' (togehter with > pam_openafs_session.so), the libpam-krb5 WILL authenticate me, > but not create a correct ccache... Were you logging on with a password, or were you forwarding your ticket? It makes a huge difference. > ----- s n i p ----- > [EMAIL PROTECTED] tail -f /var/log/auth.log -n0 > Aug 7 13:19:42 pumba sshd[26408]: (pam_krb5): none: pam_sm_authenticate: > entry > Aug 7 13:19:49 pumba sshd[26408]: (pam_krb5): turbo: pam_sm_authenticate: > exit (success) > Aug 7 13:19:49 pumba sshd[26408]: (pam_krb5): none: pam_sm_acct_mgmt: entry > Aug 7 13:19:49 pumba sshd[26408]: (pam_krb5): turbo: pam_sm_acct_mgmt: exit > (success) Is this the start of the session? That would imply that the auth module never happened and you were forwarding your ticket. > Aug 7 13:19:49 pumba sshd[26408]: Accepted password for turbo from <IP> port > 36807 ssh2 > Aug 7 13:19:52 pumba sshd[26428]: (pam_krb5): none: pam_sm_setcred: entry > (0x8) > Aug 7 13:19:52 pumba sshd[26428]: (pam_krb5): turbo: pam_sm_setcred: > attempting to refresh cred cache FILE:/tmp/krb5cc_p19351 > Aug 7 13:19:52 pumba sshd[26428]: (pam_krb5): turbo: pam_sm_setcred: > initializing cred cache FILE:/tmp/krb5cc_p19351 > Aug 7 13:19:52 pumba sshd[26428]: (pam_krb5): turbo: chown(): No such file > or directory I think I see a couple of problems here. One is that the chown isn't stripping FILE: off the beginning since the PAM module never puts FILE: on the beginning and isn't expecting that, but for cache reinitialization there may well be one there. I can fix that. The second is that if you did forward your ticket, we shouldn't be reinitializing the ticket cache at all, since we don't have any credentials with which to reinitialize it. I think I can see where to put that test. Would you be willing to try building a new version of the libpam-krb5 module from source and trying it out? I've almost finished a new 2.0 upstream release that fixes a bunch of issues, and I'd rather fix this there than patch the old module. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
