Date: Mon, 8 Sep 2003 14:07:07 -0700 (PDT) From: Jon Passki <cykyc@yahoo.com> To: freebsd-stable@freebsd.org Subject: Base pam_krb5 on recent -STABLE and credential cache storage Message-ID: <20030908210707.43276.qmail@web40708.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hello,
Prequalify: I'm quite a novice w/ Kerberos, so my terminology and
assumptions may be rough. Also, please CC me since I'm not a list
subscriber.
I'm running a fairly recent -STABLE [1] and have installed the base
Heimdal Kerberos implementation via the MAKE_KERBEROS5 knob in
/etc/make.conf. I'm having the problem that I don't see a cached
credential file being created in /tmp.
I uncommented the pam_krb5 for login in /etc/pam.conf and adjusted
it as follows:
login auth sufficient pam_krb5.so try_first_pass debug
login auth required pam_unix.so try_first_pass
login account required pam_unix.so
login password required pam_permit.so
login session required pam_permit.so
After adjusting syslog.conf, restarting, and creating a debug log,
the following was logged on a successful login:
Sep 8 15:48:16 dominique login: pam_krb5:
pam_sm_authenticate(login jon): entry:
Sep 8 15:48:18 dominique login: pam_krb5:
pam_sm_authenticate(login jon): exit: success
Unfortunately, no credentials were stored in the usual location
(e.g. /tmp/krb5cc_<uid>). I've had the following combinations:
login auth sufficient pam_krb5.so try_first_pass debug
ccache=SAFE
login auth sufficient pam_krb5.so try_first_pass debug
ccache=/tmp/krb5cc_%u
According to the pam_krb5(8) manual page,
"The pam_sm_setcred() function stores the newly acquired
credentials in a credentials cache, and sets the environment
variable KRB5CCNAME appropriately. The credentials cache should be
destroyed by the user at logout with kdestroy(1)."
And looking through
/usr/src/lib/libpam/modules/pam_krb5/pam_krb5_auth.c did show that
something should have been logged by pam_sm_setcred():
* $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5_auth.c,v
1.1.2.2 2001/07/29 18:57:30 markm Exp $
#define DLOG(error_func, error_msg) \
if (debug) \
syslog(LOG_DEBUG, "pam_krb5: pam_sm_setcred(%s %s): %s: %s", \
service, name, error_func, error_msg)
Any ideas why I don't see a cached credential file in the usual
location? Any other information I can provide to help out?
Take care,
Jon Passki
[1] uname -a
FreeBSD dominique 4.9-PRERELEASE FreeBSD 4.9-PRERELEASE #13: Sat
Sep 6 16:56:34 CDT 2003
root@dominique:/usr/obj/usr/src/sys/DOMINIQUE i386
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030908210707.43276.qmail>