[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: strange errors from pam-krb5



Nico

Ok... Added the "setcred_in_auth" and didn't seem to change the log at all..

(login)

Nov 29 11:29:17 SYSTEM sshd[484]: [ID 551190 auth.debug] pam_krb5: pam_sm_authenticate(sshd mdbaker): entry:
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 551190 auth.debug] pam_krb5: pam_sm_authenticate(sshd mdbaker): exit: success
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 248316 auth.debug] pam_krb5: pam_sm_acct_mgmt(sshd mdbaker): entry:
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 248316 auth.debug] pam_krb5: pam_sm_acct_mgmt(sshd mdbaker): exit: success
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 800047 auth.info] Accepted password for mdbaker from XXX.XXX.XXX.XXX port 35978 ssh2
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 843472 auth.debug] pam_krb5: pam_sm_setcred(sshd mdbaker): entry:
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 843472 auth.debug] pam_krb5: pam_sm_setcred(sshd mdbaker): chown(): Not owner
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 843472 auth.debug] pam_krb5: pam_sm_setcred(sshd mdbaker): exit: failure
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 833576 auth.debug] pam_setcred: error Error in underlying service module
Nov 29 11:29:17 SYSTEM sshd[484]: [ID 993013 auth.debug] pam_sm_setcred(): no module data



(logout)


Nov 29 11:29:26 joint sshd[484]: [ID 833576 auth.debug] pam_setcred: error Error in underlying service module
Nov 29 11:29:26 joint sshd[484]: [ID 833576 auth.debug] pam_setcred: error Permission denied


No the cache file does not exist... One other interesting item... If it does exist,
it gets deleted... That is not right... ;)


See-ya
Mitch


At 11:08 AM 11/29/2001 -0500, you wrote:
On Thu, Nov 29, 2001 at 09:18:33AM -0600, Steve Langasek wrote:
> On Thu, Nov 29, 2001 at 09:50:51AM -0500, Mitchell Baker wrote:
> > Authenticating but NOT setting up credential cache
> > Solaris 8
> > OpenSSH_3.0.1p1
> > MIT KRB5 1.2.2
>
> > The pam.conf is the same on both and so is the sshd_config
>
> > Do have the debug option on with the pam_krb5. Here is more of the logs.
> > With logout...
>
> > Nov 29 08:04:26 system sshd[880]: [ID 551190 auth.debug] pam_krb5:
> > pam_sm_authenticate(sshd mdbaker): entry:
> > Nov 29 08:04:26 system sshd[880]: [ID 551190 auth.debug] pam_krb5:
> > pam_sm_authenticate(sshd mdbaker): exit: success
> > Nov 29 08:04:26 system sshd[880]: [ID 248316 auth.debug] pam_krb5:
> > pam_sm_acct_mgmt(sshd mdbaker): entry:
> > Nov 29 08:04:26 system sshd[880]: [ID 248316 auth.debug] pam_krb5:
> > pam_sm_acct_mgmt(sshd mdbaker): exit: success
> > Nov 29 08:04:26 system sshd[880]: [ID 800047 auth.info] Accepted password
> > for mdbaker from xxx.xxx.xxx.xxx port 35740 ssh2
> > Nov 29 08:04:26 system sshd[880]: [ID 843472 auth.debug] pam_krb5:
> > pam_sm_setcred(sshd mdbaker): entry:
> > Nov 29 08:04:26 system sshd[880]: [ID 843472 auth.debug] pam_krb5:
> > pam_sm_setcred(sshd mdbaker): chown(): Not owner
> > Nov 29 08:04:26 system sshd[880]: [ID 843472 auth.debug] pam_krb5:
> > pam_sm_setcred(sshd mdbaker): exit: failure
> > Nov 29 08:04:26 system sshd[880]: [ID 833576 auth.debug] pam_setcred: error
> > Error in underlying service module
> > Nov 29 08:04:26 system sshd[880]: [ID 993013 auth.debug] pam_sm_setcred():
> > no module data
> > Nov 29 08:04:44 system sshd[880]: [ID 833576 auth.debug] pam_setcred: error
> > Error in underlying service module
> > Nov 29 08:04:44 system sshd[880]: [ID 833576 auth.debug] pam_setcred: error
> > Permission denied
>
> Hmm. Sounds like something has changed in OpenSSH 3.0.1p1 wrt the order
> of setuid() and pam_setcred() calls.


Indeed, it sounds that way.

> Nico, is this our bug or theirs?

Still looking. Remember, I don't use the latest pam_krb5, yet...

Something looks off though, "... pam_sm_setcred(): no module data"... Is
OpenSSH perhaps using a different pam handle for the setcred?

Mitchell,

Can you try adding the "setcred_in_auth" option to auth pam_krb5 line?

Also, does a /tmp/krb5cc_<uid> already exist and is it owned by a user
other than the user you're logging in as?


> Steve Langasek > postmodern programmer


Nico --

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only
for the individual named.  If you are not the named addressee you
should not disseminate, distribute or copy this e-mail.  Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses.  The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission.  If
verification is required please request a hard-copy version.  This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.



_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list

/####################################################################/ /# Mitchell "Buzz" Baker "To Infinity And Beyond..." #/ /# Sr. Systems Admin Rose-Hulman Institute of Technology #/ /# Mitchell.D.Baker@rose-hulman.edu www.rose-hulman.edu #/ /# For PGP Public key, check out www.keyserver.net #/ /####################################################################/





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []