Base pam_krb5 on recent -STABLE and credential cache storage

Jon Passki cykyc at yahoo.com
Mon Sep 8 14:07:08 PDT 2003 

Hello,

Prequalify: I'm quite a novice w/ Kerberos, so my terminology and
assumptions may be rough.  Also, please CC me since I'm not a list
subscriber.

I'm running a fairly recent -STABLE [1] and have installed the base
Heimdal Kerberos implementation via the MAKE_KERBEROS5 knob in
/etc/make.conf.  I'm having the problem that I don't see a cached
credential file being created in /tmp.

I uncommented the pam_krb5 for login in /etc/pam.conf and adjusted
it as follows:

login   auth    sufficient      pam_krb5.so   try_first_pass debug
login   auth    required        pam_unix.so   try_first_pass
login   account required        pam_unix.so
login   password required       pam_permit.so
login   session required        pam_permit.so

After adjusting syslog.conf, restarting, and creating a debug log,
the following was logged on a successful login:

Sep  8 15:48:16 dominique login: pam_krb5:
pam_sm_authenticate(login jon): entry:
Sep  8 15:48:18 dominique login: pam_krb5:
pam_sm_authenticate(login jon): exit: success

Unfortunately, no credentials were stored in the usual location
(e.g. /tmp/krb5cc_<uid>).  I've had the following combinations:

login   auth    sufficient      pam_krb5.so   try_first_pass debug
ccache=SAFE

login   auth    sufficient      pam_krb5.so   try_first_pass debug
ccache=/tmp/krb5cc_%u

According to the pam_krb5(8) manual page, 

"The pam_sm_setcred() function stores the newly acquired
credentials in a credentials cache, and sets the environment
variable KRB5CCNAME appropriately.  The credentials cache should be
destroyed by the user at logout with kdestroy(1)."

And looking through
/usr/src/lib/libpam/modules/pam_krb5/pam_krb5_auth.c did show that
something should have been logged by pam_sm_setcred():

 * $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5_auth.c,v
1.1.2.2 2001/07/29 18:57:30 markm Exp $

#define DLOG(error_func, error_msg) \
if (debug) \
    syslog(LOG_DEBUG, "pam_krb5: pam_sm_setcred(%s %s): %s: %s", \
           service, name, error_func, error_msg)


Any ideas why I don't see a cached credential file in the usual
location?  Any other information I can provide to help out?

Take care,

Jon Passki

[1] uname -a
FreeBSD dominique 4.9-PRERELEASE FreeBSD 4.9-PRERELEASE #13: Sat
Sep  6 16:56:34 CDT 2003
root at dominique:/usr/obj/usr/src/sys/DOMINIQUE  i386



__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

More information about the freebsd-stable mailing list