[31784] in Kerberos
Re: Kerberos tickets, SSH public key auth, AFS tokens
daemon@ATHENA.MIT.EDU (Jeff Blaine)
Wed Dec 16 22:31:03 2009
Message-ID: <4B29A5C3.4060908@stage-infinity.com>
Date: Wed, 16 Dec 2009 22:30:11 -0500
From: Jeff Blaine <jblaine@stage-infinity.com>
MIME-Version: 1.0
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <87ws0mxoys.fsf@windlord.stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 12/16/2009 10:24 PM, Russ Allbery wrote:
> Jeff Blaine<jblaine@stage-infinity.com> writes:
>
>> Yup, they're there, just no tokens. I even tried a pam_krb5RA2.so and
>> pam_afs_session2.so built against the Sun kerberos instead of our local
>> MIT kerberos for kicks. Same result.
>
>> ~:faron> kdestroy
>> ~:faron> logout
>> Connection to faron closed.
>> ~:cairo> /usr/bin/ssh -o "GSSAPIDelegateCredentials yes" faron
>> ~:faron> klist
>> Ticket cache: FILE:/tmp/krb5cc_26560
>> Default principal: jblaine@RCF.FOO.ORG
>
>> Valid starting Expires Service principal
>> 12/16/09 22:18:51 12/23/09 19:05:33 krbtgt/RCF.FOO.ORG@RCF.FOO.ORG
>> renew until 12/23/09 19:05:33
>
>> Kerberos 4 ticket cache: /tmp/tkt26560
>> klist: You have no tickets cached
>> ~:faron>
>
> Oh, right, I remember this problem now. This is why Douglas has another
> PAM module that does nothing except set KRB5CCNAME in the environment for
> use on Solaris. Solaris uses the default UID-based ticket cache and hence
> doesn't set KRB5CCNAME in the environment.
>
> Try adding always_aklog to the pam_afs_session configuration.
Bingo. That worked.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
