(resend without attachment - original Mail did not make it to the
list!)
Hi Jeffrey,
Thanks for having a look at the problem.
However, I obviously did not do a very good job detailing exactly what
we did ... so here's my next try. Warning: It is going to be lengthy :-)
First off: We do not use SSSD. And we would like to keep it that way, since
it caused various massive problems in the past.
On RHEL-7, everything works perfectly. We are using the RedHat-supplied RPM
of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64
Looking at the debug-output of the module, this is what the relevant part
looks like:
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_unix(sshd:session):
session opened for user XXXX by (uid=0)
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]:
default/local realm 'RRZ.UNI-KOELN.DE'
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: configured
realm 'RRZ.UNI-KOELN.DE'
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: debug
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: don't
always_allow_localname
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no
ignore_afs
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no
null_afs
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no
cred_session
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no
ignore_k5login
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:
user_check
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will try
previously set password first
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will ask
for a password if that fails
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will let
libkrb5 ask questions
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:
use_shmem
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:
external
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no
multiple_ccaches
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:
validate
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: warn
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: banner:
Kerberos 5
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccache dir:
/tmp
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccname
template: FILE:%d/krb5cc_%U_XXXXXX
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: keytab:
FILE:/etc/krb5.keytab
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: token
strategy: 2b
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: removing
shared memory segment 3 creator pid 3197
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: cleanup
function removing shared memory segment 3 belonging to process 3197
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtaining
afs tokens
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: creating
new PAG
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtaining
tokens for local cell 'rrz.uni-koeln.de'
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: trying with
ticket (2b)
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attempting
to determine realm for "rrz.uni-koeln.de"
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server
for "/afs/rrz.uni-koeln.de" is 134.95.67.97
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server
for "/afs/rrz.uni-koeln.de" is 134.95.109.81
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server
for "/afs/rrz.uni-koeln.de" is 134.95.109.75
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server
for "/afs/rrz.uni-koeln.de" is 134.95.112.8
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server
134.95.67.97 has name afs.thp.uni-koeln.de
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]:
afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE"
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attempting
to obtain tokens for "rrz.uni-koeln.de"
("afs/[email protected]")
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: got tokens
for cell "rrz.uni-koeln.de"
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: no
additional afs cells configured
We then took the source PRM: pam_krb5-2.4.8-6.el7.src.rpm and did a rebuild
on a RHEL-8-Machine. This worked without any errors.
However, when we try to use this to get a token, this happens:
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]:
pam_unix(sshd:session): session opened for user a0537 by (uid=0)
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
default/local realm 'RRZ.UNI-KOELN.DE'
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
configured realm 'RRZ.UNI-KOELN.DE'
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: debug
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: don't always_allow_localname
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: no ignore_afs
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: no null_afs
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: no cred_session
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: no ignore_k5login
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: user_check
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
will try previously set password first
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
will ask for a password if that fails
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
will let libkrb5 ask questions
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: use_shmem
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: external
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: no multiple_ccaches
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: validate
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: warn
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
banner: Kerberos 5
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
ccache dir: /tmp
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
ccname template: FILE:%d/krb5cc_%U_XXXXXX
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
keytab: FILE:/etc/krb5.keytab
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
token strategy: 2b
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
removing shared memory segment 29 creator pid 2204130
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
cleanup function removing shared memory segment 29 belonging to process 2204130
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
obtaining afs tokens
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
creating new PAG
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
obtaining tokens for local cell 'rrz.uni-koeln.de'
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
trying with ticket (2b)
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
attempting to determine realm for "rrz.uni-koeln.de"
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
file server for "/afs/rrz.uni-koeln.de" is 134.95.67.97
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
file server for "/afs/rrz.uni-koeln.de" is 134.95.112.8
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
file server for "/afs/rrz.uni-koeln.de" is 134.95.109.81
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
file server for "/afs/rrz.uni-koeln.de" is 134.95.109.75
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
file server 134.95.67.97 has name afs.thp.uni-koeln.de
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE"
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
attempting to obtain tokens for "rrz.uni-koeln.de"
("afs/[email protected]")
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afs/[email protected]'
(enctype=1) on behalf of '[email protected]': No credentia
ls found with supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afs/[email protected]'
(enctype=2) on behalf of '[email protected]': No credentia
ls found with supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afs/[email protected]'
(enctype=3) on behalf of '[email protected]': No credentia
ls found with supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
attempting to obtain tokens for "rrz.uni-koeln.de" ("[email protected]")
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for '[email protected]' (enctype=1) on behalf of
'[email protected]': No credentials found with supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for '[email protected]' (enctype=2) on behalf of
'[email protected]': No credentials found with supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for '[email protected]' (enctype=3) on behalf of
'[email protected]': No credentials found with supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
attempting to obtain tokens for "rrz.uni-koeln.de"
("afsx/[email protected]")
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afsx/[email protected]'
(enctype=1) on behalf of '[email protected]': No credentials found with
supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afsx/[email protected]'
(enctype=2) on behalf of '[email protected]': No credentials found with
supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afsx/[email protected]'
(enctype=3) on behalf of '[email protected]': No credentials found with
supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
attempting to obtain tokens for "rrz.uni-koeln.de" ("[email protected]")
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for '[email protected]' (enctype=1) on behalf
of '[email protected]': No credentials found with supported encryption
types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for '[email protected]' (enctype=2) on behalf
of '[email protected]': No credentials found with supported encryption
types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for '[email protected]' (enctype=3) on behalf
of '[email protected]': No credentials found with supported encryption
types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
afslog (2b) failed to "rrz.uni-koeln.de"
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]: got
error -1 (Unknown code ____ 255) while obtaining tokens for rrz.uni-koeln.de
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]: no
additional afs cells configured
To reiterate: We get both kerberos ticket and AFS-Token on RHEL-7. On RHEL-8,
we still get a valid kerberos ticket, but getting the AFS-Token fails. It -is-
possible, however, to get a valid AFS-Token by klog.krb5. So -in principle-
everything is in place to have this done by pam_afs.
The problem is: I have no way to determine why it is complaining about "no
supported encryption types" when other tools have no problems at all!
Additional infO. Yes, we did rekey our AFS-cell quite a while ago, and our
afs-Principal has two keys:
kadmin.local: getprinc afs/rrz.uni-koeln.de
Principal: afs/[email protected]
<snip>
Anzahl der Schlüssel: 2
Key: vno 5, aes256-cts-hmac-sha1-96
Key: vno 4, des-cbc-crc
MKey: vno 1
Attribute: REQUIRES_PRE_AUTH
Richtlinie: [keins]
Our users have three:
kadmin.local: getprinc XXXX
Principal: [email protected]
<snip>
Anzahl der Schlüssel: 3
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, des-cbc-crc
Key: vno 2, des-cbc-md5:afs3
MKey: vno 1
Attribute: REQUIRES_PRE_AUTH
Richtlinie: [keins]
Like I said before, I looked at the sources of our version of pam_krb5, and
the part where it is failing starts at line 775 inside the function
"minikafs_5log_with_principal" (I'll attach the minikafs.c to this mail for
reference)
/* Try to obtain a suitable credential. */
for (i = 0; i < n_etypes; i++) {
memset(&mcreds, 0, sizeof(mcreds));
mcreds.client = client;
mcreds.server = server;
if (etypes != NULL) {
v5_creds_set_etype(ctx, &mcreds, etypes[i]);
}
new_creds = NULL;
tmp = krb5_get_credentials(ctx, 0, ccache,
&mcreds, &new_creds);
if (tmp == 0) {
if (use_rxk5 &&
(minikafs_5settoken2(cell, new_creds, uid) == 0)) {
krb5_free_creds(ctx, new_creds);
v5_free_unparsed_name(ctx, unparsed_client);
krb5_free_principal(ctx, client);
krb5_free_principal(ctx, server);
return 0;
} else
if (use_v5_2b &&
(minikafs_5settoken(cell, new_creds, uid) == 0)) {
krb5_free_creds(ctx, new_creds);
v5_free_unparsed_name(ctx,
unparsed_client);
krb5_free_principal(ctx, client);
krb5_free_principal(ctx, server);
return 0;
}
krb5_free_creds(ctx, new_creds);
} else {
if (options->debug) {
if (etypes != NULL) {
debug("error obtaining credentials for
"
"'%s' (enctype=%d) on behalf of "
"'%s': %s",
principal, etypes[i],
unparsed_client,
v5_error_message(tmp));
} else {
debug("error obtaining credentials for
"
"'%s' on behalf of "
"'%s': %s",
principal,
unparsed_client,
v5_error_message(tmp));
}
}
}
}
v5_free_unparsed_name(ctx, unparsed_client);
krb5_free_principal(ctx, client);
krb5_free_principal(ctx, server);
If you or anyone else has any ideas how to tackle the problem, any help would
be greatly appreciated.
Cheers from Cologne,
Stephan Wonczak
On Fri, 8 Jul 2022, Jeffrey E Altman wrote:
Sounds like the version of pam_krb5 you are attempting to build does not
include support for rxkad-kdf.
https://lists.openafs.org/pipermail/afs3-standardization/2013-July/002738.h
tml
The version of pam_krb5 that supports rxkad-kdf contains a
minikafs_kd_derive() function at minikafs.c line 775.
See https://github.com/frozencemetery/pam_krb5.
As mentioned in my prior reply pam_krb5 should not be used in conjunction
with sssd.
Jeffrey Altman
On 7/8/2022 8:35 AM, Stephan Wonczak ([email protected]) wrote:
Hi everyone!
(Berthold's colleague here)
We dug a little deeper and found the part in the
pam_krb5-sources where it fails. It is in the file "minikafs.c"
starting in line 775. It looks like the call to
krb5_get_credentials() gets a non-zero return value, thus making
it bail out.
The problem is that we (well, at least me!) have no idea which
enctype is expected, and which enctypes are actually tried.
Debug output is not too helpful here. Any ideas on how to get
useful information?
(I should mention I am waaay out of depth here with my
knowledge of Kerberos, and my C-fu is severely lacking, too ;-)
)
To be absolutley clear: We can ssh-login to the machine
running this pam_krb.so-module, and get a valid krb5-ticket. No
AFS-token after login, thus no access to AFS. If I do
"klog.krb5", I -do- get an AFS-Token without any issues, and
AFS-access starts working as it should.
It's maddening that only pam_krb5 complains, while other tools
work out of the box.
Any advice would be greatly appreciated!
Stephan
On Fri, 8 Jul 2022, Berthold Cogel wrote:
Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:
Benjamin Kaduk:
Are you aware of
pam_afs_session
(https://github.com/rra/pam-afs-session)?
Without knowing more about
what you're using pam_krb5
for it's hard to make
specific suggestions
about what alternatives
might exist.
BTW: pam_krb5 != pam_krb5. There are
two different modules with the same
name out there. The one shipped with
RedHat family distributions comes
with integrated AFS support, while the
one shipped with Debian family
distributions doesn't. That's the
reason why Debian also ships
pam_afs_session and RH does not.
Bye...
Dirk
We're using the pam_krb5 shipped with Red Hat.
I've rebuild the module from the RHEL 7 source rpm
on RHEL 8. And it seems to work.... for some value
of working....
Supported enctypes in our kdc:
aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal
des:afs3
We 'rekeyed' our AFS environment with
aes256-cts-hmac-sha1-96:normal to get connections
from newer Ubuntu/Debian and Fedora 35 working.
We get a krb5 ticket and a login, but getting the
AFS token gives errors:
"error obtaining credentials for
'afs/[email protected]' (enctype=1)
on behalf of ....: No credentials found with
supported encryption types"
Same for two other enctypes.
So something else changed in RHEL 8, which we
haven't found yet.
Regards
Berthold
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
Dipl. Chem. Dr. Stephan Wonczak
Regionales Rechenzentrum der Universitaet zu Koeln
(RRZK)
Universitaet zu Koeln, Weyertal 121, 50931 Koeln
Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625
Dipl. Chem. Dr. Stephan Wonczak
Regionales Rechenzentrum der Universitaet zu Koeln (RRZK)
Universitaet zu Koeln, Weyertal 121, 50931 Koeln
Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625
