Hi everyone!
(Berthold's colleague here)
We dug a little deeper and found the part in the pam_krb5-sources where
it fails. It is in the file "minikafs.c" starting in line 775. It looks
like the call to krb5_get_credentials() gets a non-zero return value, thus
making it bail out.
The problem is that we (well, at least me!) have no idea which enctype
is expected, and which enctypes are actually tried. Debug output is not
too helpful here. Any ideas on how to get useful information?
(I should mention I am waaay out of depth here with my knowledge of
Kerberos, and my C-fu is severely lacking, too ;-) )
To be absolutley clear: We can ssh-login to the machine running this
pam_krb.so-module, and get a valid krb5-ticket. No AFS-token after login,
thus no access to AFS. If I do "klog.krb5", I -do- get an AFS-Token
without any issues, and AFS-access starts working as it should.
It's maddening that only pam_krb5 complains, while other tools work
out of the box.
Any advice would be greatly appreciated!
Stephan
On Fri, 8 Jul 2022, Berthold Cogel wrote:
Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:
Benjamin Kaduk:
Are you aware of pam_afs_session
(https://github.com/rra/pam-afs-session)? Without knowing more about
what you're using pam_krb5 for it's hard to make specific suggestions
about what alternatives might exist.
BTW: pam_krb5 != pam_krb5. There are two different modules with the same
name out there. The one shipped with RedHat family distributions comes
with integrated AFS support, while the one shipped with Debian family
distributions doesn't. That's the reason why Debian also ships
pam_afs_session and RH does not.
Bye...
Dirk
We're using the pam_krb5 shipped with Red Hat.
I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it seems to
work.... for some value of working....
Supported enctypes in our kdc:
aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3
We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to get
connections from newer Ubuntu/Debian and Fedora 35 working.
We get a krb5 ticket and a login, but getting the AFS token gives errors:
"error obtaining credentials for 'afs/[email protected]'
(enctype=1) on behalf of ....: No credentials found with supported encryption
types"
Same for two other enctypes.
So something else changed in RHEL 8, which we haven't found yet.
Regards
Berthold
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
Dipl. Chem. Dr. Stephan Wonczak
Regionales Rechenzentrum der Universitaet zu Koeln (RRZK)
Universitaet zu Koeln, Weyertal 121, 50931 Koeln
Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625
