From owner-freebsd-arch@FreeBSD.ORG Sat Sep 3 09:44:37 2005 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AE6E16A41F for ; Sat, 3 Sep 2005 09:44:37 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from kweetal.tue.nl (kweetal.tue.nl [131.155.3.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96DFA43D45 for ; Sat, 3 Sep 2005 09:44:36 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from localhost (localhost [127.0.0.1]) by kweetal.tue.nl (Postfix) with ESMTP id 2EF3D13B819 for ; Sat, 3 Sep 2005 11:44:35 +0200 (CEST) Received: from kweetal.tue.nl ([127.0.0.1]) by localhost (kweetal.tue.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 68811-06 for ; Sat, 3 Sep 2005 11:44:34 +0200 (CEST) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by kweetal.tue.nl (Postfix) with ESMTP id 60E3C13B815 for ; Sat, 3 Sep 2005 11:44:34 +0200 (CEST) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.13.4/8.13.4/Submit) id j839iYsD072483 for freebsd-arch@freebsd.org; Sat, 3 Sep 2005 11:44:34 +0200 (CEST) (envelope-from stijn) Date: Sat, 3 Sep 2005 11:44:34 +0200 From: Stijn Hoop To: freebsd-arch@freebsd.org Message-ID: <20050903094434.GA852@pcwin002.win.tue.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Bright-Idea: Let's abolish HTML mail! X-Virus-Scanned: amavisd-new at tue.nl Subject: pam_krb5 / pam_sm_setcred not getting called with PAM_ESTABLISH_CRED X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Sep 2005 09:44:37 -0000 --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I'm debugging a problem on 5-STABLE where I've setup a KDC using Heimdal in the base system, and activated pam_krb5 in /etc/pam.d/sshd. It turns out that pam_krb5 does not establish the credential cache for the authenticated user. After reinstalling pam with DEBUG & PAM_DEBUG, it turns out that pam_sm_setcred is only called with PAM_REINITIALIZE_CRED as flags, and never with PAM_ESTABLISH_CRED, which is the only case for which a credential cache will be saved (in all other cases, PAM_SUCCESS is returned immediatel= y, which is why I don't have a cache). My questions: - is this due to my pam setup? I've used the default /etc/pam.d/ssh while uncommenting the pam_krb5 entries, and I've also tried having only pam_kr= b5 as being required for all types. Both setups did not make any difference. - shouldn't pam_krb5 re-establish the credential cache when called with PAM_REINITIALIZE_CRED, instead of just returning PAM_SUCCESS? I'm a total pam newbie so I'm going only by the name of the flag; I couldn't find a manpage that made the semantics of these flags more clear. --Stijn --=20 "What if everything you see is more than what you see -- the person next to you is a warrior and the space that appears empty is a secret door to anoth= er world? What if something appears that shouldn't? You either dismiss it, or = you accept that there is much more to the world than you think. Perhaps it real= ly is a doorway, and if you choose to go inside, you'll find many unexpected things." -- Shigeru Miyamoto --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDGXCCY3r/tLQmfWcRAmQBAKCNkjaFc0DCb1X/i++MCOGGk/EF9wCgi98f spyf8yojg3mUiwOA3LdfgvE= =ohry -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt--