From owner-freebsd-questions@FreeBSD.ORG Wed Aug 31 13:19:18 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4904A16A41F for ; Wed, 31 Aug 2005 13:19:18 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from pastinakel.tue.nl (pastinakel.tue.nl [131.155.2.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB23143D45 for ; Wed, 31 Aug 2005 13:19:17 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from localhost (localhost [127.0.0.1]) by pastinakel.tue.nl (Postfix) with ESMTP id 1F82714BC99 for ; Wed, 31 Aug 2005 15:18:57 +0200 (CEST) Received: from pastinakel.tue.nl ([127.0.0.1]) by localhost (pastinakel.tue.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 41026-03 for ; Wed, 31 Aug 2005 15:18:56 +0200 (CEST) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by pastinakel.tue.nl (Postfix) with ESMTP id 7392314BC92 for ; Wed, 31 Aug 2005 15:18:56 +0200 (CEST) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.13.4/8.13.4/Submit) id j7VDIuZB068127 for questions@freebsd.org; Wed, 31 Aug 2005 15:18:56 +0200 (CEST) (envelope-from stijn) Date: Wed, 31 Aug 2005 15:18:56 +0200 From: Stijn Hoop To: questions@freebsd.org Message-ID: <20050831131856.GC48436@pcwin002.win.tue.nl> References: <20050831112300.GA48436@pcwin002.win.tue.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050831112300.GA48436@pcwin002.win.tue.nl> User-Agent: Mutt/1.4.2.1i X-Bright-Idea: Let's abolish HTML mail! X-Virus-Scanned: amavisd-new at tue.nl Cc: Subject: Re: heimdal kerberos & ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 13:19:18 -0000 OK, I think I figured this out, at least partially: On Wed, Aug 31, 2005 at 01:23:00PM +0200, Stijn Hoop wrote: > So it seems that the authentication is working, however the TGT is not > being saved. It turns out that you really need to specify the 'ccache' parameter to pam_krb5 but in the correct format: auth required pam_krb5.so no_warn try_first_pass ccache=FILE:/tmp/krb5_%u Furthermore, do not test logging in with a user that has both a local account and a kerberos principal -- it may confuse you :-/ For the record here is the /etc/pam.d/sshd that I think works: %%% # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth required pam_krb5.so no_warn try_first_pass ccache=FILE:/tmp/krb5_%u # account account required pam_krb5.so account required pam_login_access.so # session session required pam_permit.so # password password required pam_krb5.so no_warn try_first_pass %%% However: - I still don't get a valid cache file with a user that also has a local password (manually doing kinit works just fine). This is really strange.. - there's a strange 2-3 second delay when logging in, that I can't explain. It feels like some sort of timeout but I can't figure out what... Anyone recognize this? And again, if there's someone out there with a working setup, I'd love to see the config files. --Stijn -- This sentence contradicts itself -- no actually it doesn't. -- Hofstadter