[32887] in Kerberos
Re: Static ticket cache name
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Nov 10 18:47:04 2010
From: Russ Allbery <rra@stanford.edu>
To: Techie <techchavez@gmail.com>
In-Reply-To: <AANLkTimH9XFgfQ3B+h2Q97OaNe8EZOaBhBmBbXH79s5n@mail.gmail.com>
(Techie's message of "Wed, 10 Nov 2010 16:44:34 -0700")
Date: Wed, 10 Nov 2010 15:46:59 -0800
Message-ID: <8762w4n3m4.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Techie <techchavez@gmail.com> writes:
> I actually do get messages as seen below but no errors unfortunately.
> Nov 10 17:32:47 debtest sshd[32058]: pam_krb5(sshd:auth): user
> krb_user authenticated as krb_user@EXAMPLE.COM
> Nov 10 17:32:49 debtest sshd[32058]: pam_krb5(sshd:session):
> pam_sm_open_session: entry (0x0)
> Nov 10 17:32:49 debtest sshd[32058]: pam_krb5(sshd:session):
> pam_sm_open_session: exit (success)
> Nov 10 17:33:25 debtest sshd[32058]: pam_krb5(sshd:session):
> pam_sm_close_session: entry (0x8000)
> Nov 10 17:33:25 debtest sshd[32058]: pam_krb5(sshd:session):
> pam_sm_close_session: exit (success)
Oh, right, setcred does this. I misled you. Add both the ccache option
and the debug option to the auth stack as well, and then could you show me
the log output from trying again?
> Here is my krb5.conf snippet where I also define the ccache. Not sure if
> this is valid. I also have KRB5CCNAME set to the same in /etc/profile so
> the variable is globally set.
pam_krb5 completely ignores the existing KRB5CCNAME environment variable
for initial authentication, since it may be inherited from the environment
of xinetd or something else.
> [libdefaults]
> default_realm = EXAMPLE.COM
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> ccache = /tmp/krb5cc_000007
> forwardable = true
> proxiable = true
pam_krb5 only looks in [appdefaults], not in [libdefaults] (although it
honors the options in [libdefaults] that are interpreted by the library,
of course).
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos