[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: strange errors from pam-krb5



On Thu, Nov 29, 2001 at 09:18:33AM -0600, Steve Langasek wrote:
> On Thu, Nov 29, 2001 at 09:50:51AM -0500, Mitchell Baker wrote:
> > Authenticating but NOT setting up credential cache
> > Solaris 8
> > OpenSSH_3.0.1p1
> > MIT KRB5 1.2.2
> 
> > The pam.conf is the same on both and so is the sshd_config
> 
> > Do have the debug option on with the pam_krb5. Here is more of the logs.
> > With logout...
> 
> > Nov 29 08:04:26 system sshd[880]: [ID 551190 auth.debug] pam_krb5: 
> > pam_sm_authenticate(sshd mdbaker): entry:
> > Nov 29 08:04:26 system sshd[880]: [ID 551190 auth.debug] pam_krb5: 
> > pam_sm_authenticate(sshd mdbaker): exit: success
> > Nov 29 08:04:26 system sshd[880]: [ID 248316 auth.debug] pam_krb5: 
> > pam_sm_acct_mgmt(sshd mdbaker): entry:
> > Nov 29 08:04:26 system sshd[880]: [ID 248316 auth.debug] pam_krb5: 
> > pam_sm_acct_mgmt(sshd mdbaker): exit: success
> > Nov 29 08:04:26 system sshd[880]: [ID 800047 auth.info] Accepted password 
> > for mdbaker from xxx.xxx.xxx.xxx port 35740 ssh2
> > Nov 29 08:04:26 system sshd[880]: [ID 843472 auth.debug] pam_krb5: 
> > pam_sm_setcred(sshd mdbaker): entry:
> > Nov 29 08:04:26 system sshd[880]: [ID 843472 auth.debug] pam_krb5: 
> > pam_sm_setcred(sshd mdbaker): chown(): Not owner
> > Nov 29 08:04:26 system sshd[880]: [ID 843472 auth.debug] pam_krb5: 
> > pam_sm_setcred(sshd mdbaker): exit: failure
> > Nov 29 08:04:26 system sshd[880]: [ID 833576 auth.debug] pam_setcred: error 
> > Error in underlying service module
> > Nov 29 08:04:26 system sshd[880]: [ID 993013 auth.debug] pam_sm_setcred(): 
> > no module data
> > Nov 29 08:04:44 system sshd[880]: [ID 833576 auth.debug] pam_setcred: error 
> > Error in underlying service module
> > Nov 29 08:04:44 system sshd[880]: [ID 833576 auth.debug] pam_setcred: error 
> > Permission denied
> 
> Hmm.  Sounds like something has changed in OpenSSH 3.0.1p1 wrt the order
> of setuid() and pam_setcred() calls.

Indeed, it sounds that way.

> Nico, is this our bug or theirs?

Still looking. Remember, I don't use the latest pam_krb5, yet...

Something looks off though, "... pam_sm_setcred(): no module data"... Is
OpenSSH perhaps using a different pam handle for the setcred?

Mitchell,

Can you try adding the "setcred_in_auth" option to auth pam_krb5 line?

Also, does a /tmp/krb5cc_<uid> already exist and is it owned by a user
other than the user you're logging in as?


> Steve Langasek
> postmodern programmer


Nico
--

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []