[32890] in Kerberos
Re: Static ticket cache name
daemon@ATHENA.MIT.EDU (Techie)
Wed Nov 10 19:04:09 2010
MIME-Version: 1.0
In-Reply-To: <8762w4n3m4.fsf@windlord.stanford.edu>
Date: Wed, 10 Nov 2010 17:03:50 -0700
Message-ID: <AANLkTim8LM0As+-UwNtbZENfNFDC54cQzJzi_YVisake@mail.gmail.com>
From: Techie <techchavez@gmail.com>
To: Russ Allbery <rra@stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Wed, Nov 10, 2010 at 4:46 PM, Russ Allbery <rra@stanford.edu> wrote:> Techie <techchavez@gmail.com> writes:>>> I actually do get messages as seen below but no errors unfortunately.>>> Nov 10 17:32:47 debtest sshd[32058]: pam_krb5(sshd:auth): user>> krb_user authenticated as krb_user@EXAMPLE.COM>> Nov 10 17:32:49 debtest sshd[32058]: pam_krb5(sshd:session):>> pam_sm_open_session: entry (0x0)>> Nov 10 17:32:49 debtest sshd[32058]: pam_krb5(sshd:session):>> pam_sm_open_session: exit (success)>> Nov 10 17:33:25 debtest sshd[32058]: pam_krb5(sshd:session):>> pam_sm_close_session: entry (0x8000)>> Nov 10 17:33:25 debtest sshd[32058]: pam_krb5(sshd:session):>> pam_sm_close_session: exit (success)>> Oh, right, setcred does this. I misled you. Add both the ccache option> and the debug option to the auth stack as well, and then could you show me> the log output from trying again?OK one of the changes you suggested seems to have fixed the issue. Itried testing after the changes and the ticket cache was setcorrectly.So to recap I set the ccache in the auth and session stack and I putthe ccache in the appdefaults section.
Thank you much for your help Russ
>>> Here is my krb5.conf snippet where I also define the ccache. Not sure if>> this is valid. I also have KRB5CCNAME set to the same in /etc/profile so>> the variable is globally set.>> pam_krb5 completely ignores the existing KRB5CCNAME environment variable> for initial authentication, since it may be inherited from the environment> of xinetd or something else.>>> [libdefaults]>> default_realm = EXAMPLE.COM>>> krb4_config = /etc/krb.conf>> krb4_realms = /etc/krb.realms>> kdc_timesync = 1>> ccache_type = 4>> ccache = /tmp/krb5cc_000007>> forwardable = true>> proxiable = true>> pam_krb5 only looks in [appdefaults], not in [libdefaults] (although it> honors the options in [libdefaults] that are interpreted by the library,> of course).>> --> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>>
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
