kerberos, pam_krb5 and ccache file

From: "Brian J. Murrell" <brian interlinx bc ca>
To: gdm sunsite dk
Subject: kerberos, pam_krb5 and ccache file
Date: Fri, 28 Jan 2005 10:11:58 -0500
I have set up kerberos here and it seems to be working.  I have
configured pam to use pam_krb5 to authenticate and create a credentials
cache.

If I login on the console (mingetty/login) I get a credentials cache.
kinit shows as much.  However if I log into a desktop with gdm, no
credentials cache.

From rom looking at the pam debugging, it would appear that a regular
terminal login is doing more with pam than gdm seems to be doing.  Here
is what I see when I log in at the console:

login(pam_unix)[6462]: check pass; user unknown
login(pam_unix)[6462]: authentication failure; logname= uid=0 euid=0 tty=vc/4 ruser= rhost= 
login[6462]: pam_krb5[6462]: default/local realm 'BAR'
login[6462]: pam_krb5[6462]: configured realm 'BAR'
login[6462]: pam_krb5[6462]: flags:
login[6462]: pam_krb5[6462]: flag: user_check
login[6462]: pam_krb5[6462]: flag: no krb4_convert
login[6462]: pam_krb5[6462]: flag: warn
login[6462]: pam_krb5[6462]: ticket lifetime: 0
login[6462]: pam_krb5[6462]: renewable lifetime: 0
login[6462]: pam_krb5[6462]: banner: Kerberos 5
login[6462]: pam_krb5[6462]: ccache dir: /tmp
login[6462]: pam_krb5[6462]: keytab: /etc/krb5.keytab
login[6462]: pam_krb5[6462]: called to authenticate 'foo'
login[6462]: pam_krb5[6462]: authenticating 'foo BAR'
login[6462]: pam_krb5[6462]: trying previously-entered password for 'foo'
login[6462]: pam_krb5[6462]: authenticating 'foo BAR' to 'krbtgt/BAR BAR'
login[6462]: pam_krb5[6462]: krb5_get_init_creds_password(krbtgt/BAR BAR) returned 0 (Success)
login[6462]: pam_krb5[6462]: got result 0 (Success)
login[6462]: pam_krb5[6462]: authentication succeeds for 'foo' (foo BAR)
login[6462]: pam_krb5[6462]: default/local realm 'BAR'
login[6462]: pam_krb5[6462]: configured realm 'BAR'
login[6462]: pam_krb5[6462]: flags:
login[6462]: pam_krb5[6462]: flag: user_check
login[6462]: pam_krb5[6462]: flag: no krb4_convert
login[6462]: pam_krb5[6462]: flag: warn
login[6462]: pam_krb5[6462]: ticket lifetime: 0
login[6462]: pam_krb5[6462]: renewable lifetime: 0
login[6462]: pam_krb5[6462]: banner: Kerberos 5
login[6462]: pam_krb5[6462]: ccache dir: /tmp
login[6462]: pam_krb5[6462]: keytab: /etc/krb5.keytab
login[6462]: pam_krb5[6462]: account management succeeds for 'foo'
login[6462]: pam_krb5[6462]: pam_acct_mgmt returning 0 (Success)
login(pam_unix)[6462]: session opened for user foo by (uid=0)
login[6462]: pam_krb5[6462]: default/local realm 'BAR'
login[6462]: pam_krb5[6462]: configured realm 'BAR'
login[6462]: pam_krb5[6462]: flags:
login[6462]: pam_krb5[6462]: flag: user_check
login[6462]: pam_krb5[6462]: flag: no krb4_convert
login[6462]: pam_krb5[6462]: flag: warn
login[6462]: pam_krb5[6462]: ticket lifetime: 0
login[6462]: pam_krb5[6462]: renewable lifetime: 0
login[6462]: pam_krb5[6462]: banner: Kerberos 5
login[6462]: pam_krb5[6462]: ccache dir: /tmp
login[6462]: pam_krb5[6462]: keytab: /etc/krb5.keytab
login[6462]: pam_krb5[6462]: creating v5 ccache for 'foo'
login[6462]: pam_krb5[6462]: saving v5 credentials to 'FILE:/tmp/krb5cc_1010_DjGdDs'
login[6462]: pam_krb5[6462]: created v5 ccache '/tmp/krb5cc_1010_dvBsCA' for 'foo'
login[6462]: pam_krb5[6462]: pam_open_session returning 0 (Success)
login[6462]: pam_krb5[6462]: default/local realm 'BAR'
login[6462]: pam_krb5[6462]: configured realm 'BAR'
login[6462]: pam_krb5[6462]: flags:
login[6462]: pam_krb5[6462]: flag: user_check
login[6462]: pam_krb5[6462]: flag: no krb4_convert
login[6462]: pam_krb5[6462]: flag: warn
login[6462]: pam_krb5[6462]: ticket lifetime: 0
login[6462]: pam_krb5[6462]: renewable lifetime: 0
login[6462]: pam_krb5[6462]: banner: Kerberos 5
login[6462]: pam_krb5[6462]: ccache dir: /tmp
login[6462]: pam_krb5[6462]: keytab: /etc/krb5.keytab
login[6462]: pam_krb5[6462]: removing ccache file '/tmp/krb5cc_1010_dvBsCA'
login[6462]: pam_krb5[6462]: creating v5 ccache for 'foo'
login[6462]: pam_krb5[6462]: saving v5 credentials to 'FILE:/tmp/krb5cc_1010_S5cMxM'
login[6462]: pam_krb5[6462]: created v5 ccache '/tmp/krb5cc_1010_YFPVrM' for 'foo'
login[6462]: pam_krb5[6462]: pam_open_session returning 0 (Success)
 -- foo[6462]: LOGIN ON vc/4 BY foo
 -- foo[6462]: pam_krb5[6462]: default/local realm 'BAR'
 -- foo[6462]: pam_krb5[6462]: configured realm 'BAR'
 -- foo[6462]: pam_krb5[6462]: flags:
 -- foo[6462]: pam_krb5[6462]: flag: user_check
 -- foo[6462]: pam_krb5[6462]: flag: no krb4_convert
 -- foo[6462]: pam_krb5[6462]: flag: warn
 -- foo[6462]: pam_krb5[6462]: ticket lifetime: 0
 -- foo[6462]: pam_krb5[6462]: renewable lifetime: 0
 -- foo[6462]: pam_krb5[6462]: banner: Kerberos 5
 -- foo[6462]: pam_krb5[6462]: ccache dir: /tmp
 -- foo[6462]: pam_krb5[6462]: keytab: /etc/krb5.keytab
 -- foo[6462]: pam_krb5[6462]: afs not running
 -- foo[6462]: pam_krb5[6462]: removing ccache file '/tmp/krb5cc_1010_YFPVrM'
 -- foo[6462]: pam_krb5[6462]: destroyed v5 ticket file for 'foo'
 -- foo[6462]: pam_krb5[6462]: pam_close_session returning 0 (Success)
 -- foo[6462]: pam_krb5[6462]: pam_close_session returning 0 (Success)
login(pam_unix)[6462]: session closed for user foo
 -- foo[6462]: pam_krb5[6462]: default/local realm 'BAR'
 -- foo[6462]: pam_krb5[6462]: configured realm 'BAR'
 -- foo[6462]: pam_krb5[6462]: flags:
 -- foo[6462]: pam_krb5[6462]: flag: user_check
 -- foo[6462]: pam_krb5[6462]: flag: no krb4_convert
 -- foo[6462]: pam_krb5[6462]: flag: warn
 -- foo[6462]: pam_krb5[6462]: ticket lifetime: 0
 -- foo[6462]: pam_krb5[6462]: renewable lifetime: 0
 -- foo[6462]: pam_krb5[6462]: banner: Kerberos 5
 -- foo[6462]: pam_krb5[6462]: ccache dir: /tmp
 -- foo[6462]: pam_krb5[6462]: keytab: /etc/krb5.keytab
 -- foo[6462]: pam_krb5[6462]: afs not running
 -- foo[6462]: pam_krb5[6462]: destroyed v5 ticket file for 'foo'
 -- foo[6462]: pam_krb5[6462]: pam_close_session returning 0 (Success)
 -- foo[6462]: pam_krb5[6462]: pam_close_session returning 0 (Success)

When I log in using gdm, this is all that is logged:

gdm(pam_unix)[28942]: session opened for user foo by (uid=0)
gdm-binary[28942]: pam_krb5[28942]: default/local realm 'BAR'
gdm-binary[28942]: pam_krb5[28942]: configured realm 'BAR'
gdm-binary[28942]: pam_krb5[28942]: flags:
gdm-binary[28942]: pam_krb5[28942]: flag: user_check
gdm-binary[28942]: pam_krb5[28942]: flag: no krb4_convert
gdm-binary[28942]: pam_krb5[28942]: flag: warn
gdm-binary[28942]: pam_krb5[28942]: ticket lifetime: 0
gdm-binary[28942]: pam_krb5[28942]: renewable lifetime: 0
gdm-binary[28942]: pam_krb5[28942]: banner: Kerberos 5
gdm-binary[28942]: pam_krb5[28942]: ccache dir: /tmp
gdm-binary[28942]: pam_krb5[28942]: keytab: /etc/krb5.keytab
gdm-binary[28942]: pam_krb5[28942]: no v5 creds for user 'foo', skipping session setup
gdm-binary[28942]: pam_krb5[28942]: pam_open_session returning 0 (Success)
gdm(pam_unix)[28942]: session closed for user foo
gdm-binary[28942]: pam_krb5[28942]: default/local realm 'BAR'
gdm-binary[28942]: pam_krb5[28942]: configured realm 'BAR'
gdm-binary[28942]: pam_krb5[28942]: flags:
gdm-binary[28942]: pam_krb5[28942]: flag: user_check
gdm-binary[28942]: pam_krb5[28942]: flag: no krb4_convert
gdm-binary[28942]: pam_krb5[28942]: flag: warn
gdm-binary[28942]: pam_krb5[28942]: ticket lifetime: 0
gdm-binary[28942]: pam_krb5[28942]: renewable lifetime: 0
gdm-binary[28942]: pam_krb5[28942]: banner: Kerberos 5
gdm-binary[28942]: pam_krb5[28942]: ccache dir: /tmp
gdm-binary[28942]: pam_krb5[28942]: keytab: /etc/krb5.keytab
gdm-binary[28942]: pam_krb5[28942]: no v5 creds for user 'foo', skipping session cleanup
gdm-binary[28942]: pam_krb5[28942]: pam_close_session returning 0 (Success)

It seems the authentication and session steps are missing when using
gdm?  Or am I mis-reading this somehow?

b.
Attachment: signature.asc
Description: This is a digitally signed message part
Follow-Ups:
- Re: kerberos, pam_krb5 and ccache file
  - From: Volker Stolz
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]