From owner-freebsd-questions@freebsd.org  Thu Aug 27 17:20:27 2015
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 766CD9C3782
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Thu, 27 Aug 2015 17:20:27 +0000 (UTC)
 (envelope-from eshell@soe.ucsc.edu)
Received: from mail-wi0-f180.google.com (mail-wi0-f180.google.com
 [209.85.212.180])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 0EECA153B
 for <freebsd-questions@freebsd.org>; Thu, 27 Aug 2015 17:20:26 +0000 (UTC)
 (envelope-from eshell@soe.ucsc.edu)
Received: by wicge2 with SMTP id ge2so8437596wic.0
 for <freebsd-questions@freebsd.org>; Thu, 27 Aug 2015 10:20:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:date:message-id:subject:from:to
 :content-type;
 bh=kOx8d5tYNwEeOISo5EPZjST9thy3lYBhZ4njzkLah9E=;
 b=YosIN/whxrOT86xx6ix3zOzL1KaF8yu8rLaedcu7ixJye01daLJTflIiUFOYFGbTR9
 1S0GQwGTooCa+ShJdjnPqMLBpBu+YKqcnT4T9WSjkR30B1yMAJmXiVxJa3Q1yPI6UgIj
 5pZXs2XHEneHREDOupcd1pk0YYYSS6u2WwmXvN5pBV9cmVehWZY7z8dw43xrYVzQBMm5
 mn/oDMCro1VBdNhm7PzLLGf5z60KL/z3Cu5ngBF/fWGy6gX0wtFpVPS6DNbBeP3jHaDR
 7/b41ycy5KqmsOQHkRbLRLKznK8kpMypsPFYUMZMRqOGrrAHMJsHwS4NmP0GLp0kTNOl
 tCPA==
X-Gm-Message-State: ALoCoQl40SzWdPb0TCy7WksuBljN+TIl9x/bCH2XjMIUlcqBBR6NbjUSLL8FcrENX57E21M8XAPh
MIME-Version: 1.0
X-Received: by 10.180.75.203 with SMTP id e11mr20943696wiw.77.1440696019573;
 Thu, 27 Aug 2015 10:20:19 -0700 (PDT)
Received: by 10.28.46.10 with HTTP; Thu, 27 Aug 2015 10:20:19 -0700 (PDT)
Date: Thu, 27 Aug 2015 10:20:19 -0700
Message-ID: <CAG0+=VJq2dQfPJ1ZgVzryZt-9_Hs+YkzGGhdXn8+jF6nWUs3CQ@mail.gmail.com>
Subject: Obtain Kerberos ticket automatically upon SSH login with PAM
From: Eric Shell <eshell@soe.ucsc.edu>
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 17:20:27 -0000

Hi folks,

I'm trying to get a nice and tidy login process that authenticates users
via LDAP and also automatically grabs a kerberos ticket so they can
immediately mount Kerberized NFSv4 exports without bothering to kinit.  My
/etc/pam.d/system configuration is working for console logins, but I can't
get it working for SSH logins even when using basically the same chain.

With the debug argument to my pam_krb5.so line, I am getting this error in
/var/log/debug.log for SSH logins:

sshd[7457]: in openpam_dispatch(): /usr/lib/pam_krb5.so.5:
pam_sm_setcred(): failed to retrieve user credentials

Searching for that error on Google turns up a thread from 2013 that seems
to indicate that the problem lies with OpenSSH.  Is that true?  If so, is
there any way to make this work?



/etc/pam.d/system:

# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth optional pam_krb5.so debug try_first_pass
auth sufficient pam_ldap.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok

# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so

# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail

# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass



/etc/pam.d/sshd:

# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
#auth requisite pam_opieaccess.so no_warn allow_local
auth optional pam_krb5.so debug try_first_pass
auth sufficient pam_ldap.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass

# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so

# session
#session optional pam_ssh.so want_agent
session required pam_permit.so

# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass