From owner-freebsd-questions@FreeBSD.ORG Tue Nov 25 05:40:46 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B32EB1065673 for ; Tue, 25 Nov 2008 05:40:46 +0000 (UTC) (envelope-from atlantos@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.freebsd.org (Postfix) with ESMTP id 401338FC08 for ; Tue, 25 Nov 2008 05:40:45 +0000 (UTC) (envelope-from atlantos@gmail.com) Received: by ug-out-1314.google.com with SMTP id 30so945891ugs.39 for ; Mon, 24 Nov 2008 21:40:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:content-type:from:reply-to:to :subject:date:mime-version:message-id:content-transfer-encoding; bh=/0+3OZQDE0MJvRdZrSzjK8wppZbeoUZyaiQKtO+z/Lk=; b=DDjJs562d+rP4hNY1XFHP0FNblDVw0rwfR4ld6LF2qlYXy9xe0yYY93eWAzMlq09JI fVpOneGJ60X2N0zrhrLm2g/EJVEhpDMkdw2e3VQnLRjTjSzO7OMMluUz0v1wJSC36dMc bpo/kdZn0TyeTkRX/E+jM5aBEXo0+hfGgIbBQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=content-type:from:reply-to:to:subject:date:mime-version:message-id :content-transfer-encoding; b=oyZw9wF+SHrbCnaQAtHeetNlS0tNqOyXxE7nhT/5KXqTFUtdE4uXn1Zvh65QcdL/Lh wyq3w62b3K2rBYUrTb/JPS7XnMUHxko3g0zi/KJr4/aWZKAD1fMPRO7Cy4PhT4MK9ZUx PcFOzHXyRfj3yB9D9Mkj6fBoRfn9jQmU6ddiM= Received: by 10.67.106.6 with SMTP id i6mr2377616ugm.49.1227589902650; Mon, 24 Nov 2008 21:11:42 -0800 (PST) Received: from localhost (mm-114-254-57-86.leased.line.mgts.by [86.57.254.114]) by mx.google.com with ESMTPS id e23sm6140465ugd.46.2008.11.24.21.11.39 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 24 Nov 2008 21:11:41 -0800 (PST) Content-Type: text/plain; charset="koi8-r" From: Viktar Sakovich To: freebsd-questions@freebsd.org Date: Tue, 25 Nov 2008 07:11:35 +0200 MIME-Version: 1.0 Message-Id: <08112507113500.01119@localhost> Content-Transfer-Encoding: 8bit Subject: Openssh + pam_krb5 doesn't establish credential cache. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: atlantos@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 05:40:46 -0000 Hi. I trying to setup ssh+pam_krb5 for authentication and establishment of credential cache on FreeBSD 6.3 against MIT kerberos. Everything is ok with authentication, but not with establishment of credential cache by pam_krb5. I tried different combinations of modules in /etc/pam.d/sshd starting from default /usr/src/etc/pam.d/sshd with uncommented pam_krb5.so. Also tried to use "UsePrivilegeSeparation no" in /etc/ssh/sshd_config. In kdc log file I see during user login: Nov 24 15:22:34 kdchost krb5kdc[20876]: AS_REQ (2 etypes {1 16}) 10.34.22.15: ISSUE: authtime 1227536554, etypes {rep=1 tkt=16 ses=1}, user@REALM for krbtgt/REALM@REALM Nov 24 15:22:34 kdchost krb5kdc[20876]: TGS_REQ (2 etypes {1 16}) 10.34.22.15: ISSUE: authtime 1227536554, etypes {rep=1 tkt=16 ses=1}, user@REALM for host/bsdhost@REALM After user login there are no ccache files in usual location /tmp/krb5cc_uid and KRB5CCNAME is not set. But user can establish ccache manually using /usr/bin/kinit. Search on freebsd lists gave threads with discussion of above problem dated up to 2003 without any suggestion how to resolve it.