[32886] in Kerberos
Re: Static ticket cache name
daemon@ATHENA.MIT.EDU (Techie)
Wed Nov 10 18:44:50 2010
MIME-Version: 1.0
In-Reply-To: <87mxpgn4ya.fsf@windlord.stanford.edu>
Date: Wed, 10 Nov 2010 16:44:34 -0700
Message-ID: <AANLkTimH9XFgfQ3B+h2Q97OaNe8EZOaBhBmBbXH79s5n@mail.gmail.com>
From: Techie <techchavez@gmail.com>
To: Russ Allbery <rra@stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Wed, Nov 10, 2010 at 4:18 PM, Russ Allbery <rra@stanford.edu> wrote:> Techie <techchavez@gmail.com> writes:>>> Right I put this in the common-session file only now no more>> common-auth. I can indeed login with pam_krb5 but it creates the ticket>> cache as /tmp/krb5cc_$UID_randomstring like this>> /tmp/krb5cc_23542_Cdk2d0. which I believe is the default behavior.>>> So it looks like it is not honouring the pam argument I put in>> common-session. I tried both through sshd and gnome and both use>> common-session. I turned on debugging by appending the debug arg to the>> end of pam_krb5.so line in common-session but no success. It must be>> something simple I am missing.>> By "no success" in the last, do you mean that after you added debug, you> still didn't see any log messages from pam-krb5 in your logs? That would> indicate that whatever files you're editing are not the files that your> PAM configuration is actually using, or that pam_krb5.so isn't running, or> something along those lines.I actually do get messages as seen below but no errors unfortunately.
Nov 10 17:32:47 debtest sshd[32058]: pam_krb5(sshd:auth): userkrb_user authenticated as krb_user@EXAMPLE.COMNov 10 17:32:49 debtest sshd[32058]: pam_krb5(sshd:session):pam_sm_open_session: entry (0x0)Nov 10 17:32:49 debtest sshd[32058]: pam_krb5(sshd:session):pam_sm_open_session: exit (success)Nov 10 17:33:25 debtest sshd[32058]: pam_krb5(sshd:session):pam_sm_close_session: entry (0x8000)Nov 10 17:33:25 debtest sshd[32058]: pam_krb5(sshd:session):pam_sm_close_session: exit (success)
Here is my common-session. i put required there after pam_krb5.so totry and force it.
session optional pam_keyinit.so revokesession required pam_limits.sosession optional pam_mkhomedir.sosession [success=1 default=ignore] pam_succeed_if.so service incrond quiet use_uidsession required pam_unix.sosession required pam_krb5.so ccache=FILE:/tmp/krb5cc_000007 debugsession optional pam_mount.so
Here is my krb5.conf snippet where I also define the ccache. Not sureif this is valid. I also have KRB5CCNAME set to the same in/etc/profile so the variable is globally set.
[libdefaults] default_realm = EXAMPLE.COM
krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 ccache = /tmp/krb5cc_000007 forwardable = true proxiable = true
Thank you
>> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>>
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos