From owner-freebsd-stable@FreeBSD.ORG  Mon Sep  8 14:07:08 2003
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A609016A4BF
	for <freebsd-stable@freebsd.org>;
	Mon,  8 Sep 2003 14:07:08 -0700 (PDT)
Received: from web40708.mail.yahoo.com (web40708.mail.yahoo.com
	[66.218.78.165])	by mx1.FreeBSD.org (Postfix) with SMTP id 3FCFC43FD7
	for <freebsd-stable@freebsd.org>;
	Mon,  8 Sep 2003 14:07:08 -0700 (PDT)	(envelope-from cykyc@yahoo.com)
Message-ID: <20030908210707.43276.qmail@web40708.mail.yahoo.com>
Received: from [209.98.4.50] by web40708.mail.yahoo.com via HTTP;
	Mon, 08 Sep 2003 14:07:07 PDT
Date: Mon, 8 Sep 2003 14:07:07 -0700 (PDT)
From: Jon Passki <cykyc@yahoo.com>
To: freebsd-stable@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Base pam_krb5 on recent -STABLE and credential cache storage
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: cykyc@yahoo.com
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2003 21:07:08 -0000

Hello,

Prequalify: I'm quite a novice w/ Kerberos, so my terminology and
assumptions may be rough.  Also, please CC me since I'm not a list
subscriber.

I'm running a fairly recent -STABLE [1] and have installed the base
Heimdal Kerberos implementation via the MAKE_KERBEROS5 knob in
/etc/make.conf.  I'm having the problem that I don't see a cached
credential file being created in /tmp.

I uncommented the pam_krb5 for login in /etc/pam.conf and adjusted
it as follows:

login   auth    sufficient      pam_krb5.so   try_first_pass debug
login   auth    required        pam_unix.so   try_first_pass
login   account required        pam_unix.so
login   password required       pam_permit.so
login   session required        pam_permit.so

After adjusting syslog.conf, restarting, and creating a debug log,
the following was logged on a successful login:

Sep  8 15:48:16 dominique login: pam_krb5:
pam_sm_authenticate(login jon): entry:
Sep  8 15:48:18 dominique login: pam_krb5:
pam_sm_authenticate(login jon): exit: success

Unfortunately, no credentials were stored in the usual location
(e.g. /tmp/krb5cc_<uid>).  I've had the following combinations:

login   auth    sufficient      pam_krb5.so   try_first_pass debug
ccache=SAFE

login   auth    sufficient      pam_krb5.so   try_first_pass debug
ccache=/tmp/krb5cc_%u

According to the pam_krb5(8) manual page, 

"The pam_sm_setcred() function stores the newly acquired
credentials in a credentials cache, and sets the environment
variable KRB5CCNAME appropriately.  The credentials cache should be
destroyed by the user at logout with kdestroy(1)."

And looking through
/usr/src/lib/libpam/modules/pam_krb5/pam_krb5_auth.c did show that
something should have been logged by pam_sm_setcred():

 * $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5_auth.c,v
1.1.2.2 2001/07/29 18:57:30 markm Exp $

#define DLOG(error_func, error_msg) \
if (debug) \
    syslog(LOG_DEBUG, "pam_krb5: pam_sm_setcred(%s %s): %s: %s", \
           service, name, error_func, error_msg)


Any ideas why I don't see a cached credential file in the usual
location?  Any other information I can provide to help out?

Take care,

Jon Passki

[1] uname -a
FreeBSD dominique 4.9-PRERELEASE FreeBSD 4.9-PRERELEASE #13: Sat
Sep  6 16:56:34 CDT 2003
root@dominique:/usr/obj/usr/src/sys/DOMINIQUE  i386



__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com