Results 1 to 2 of 2

Thread: Kerberous broken for ksu MIT 1.11.3YAST package distro Problem Solved

  1. #1

    Thumbs up Kerberous broken for ksu MIT 1.11.3YAST package distro Problem Solved

    Install kerberos5 and successfully configure a KDC on a server using the yast krb5, this is a distro problem with opensuse 13.1

    SUMMARY: Missing PAM file /etc/pam.d/ksu , and wrong file descriptor

    Background

    Using some old SUSE how-tos

    http://doc.opensuse.org/products/dra...dmin.kdc.princ

    Though the majority installation work the system refused to authorise a ksu sessions

    This was typical output from ksu failed

    1) ksu
    account1@dc2:~> ksu
    WARNING: Your password may be exposed if you enter it here and are logged
    in remotely using an unsecure (non-encrypted) channel.
    Kerberos password for account1/root@UNIX1.FOREST1.POC.NET: :
    Authenticated account1/root@UNIX1.FOREST1.POC.NET
    Access denied for root.

    2) Using "journalctl -f" the following errors could be seen

    Feb 11 18:20:03 dc2 slapd[1661]: daemon: epoll: listen=7 active_threads=0 tvp=zero
    Feb 11 18:20:03 dc2 ksu[13086]: 'ksu root' authenticated account1/root@UNIX1.FOREST1.POC.NET for account1 on /dev/pts/5
    Feb 11 18:20:03 dc2 ksu[13086]: pam_warn(ksu:account): function=[pam_sm_acct_mgmt] service=[ksu] terminal=[/dev/pts/5] user=[root] ruser=[account1] rhost=[<unknown>]

    Scouring the forums I could find no solution but the problem was two fold

    3) klist showed part of the problem with are reference to a directory file descriptor
    account1@dc2:~> klist
    Ticket cache: DIR::/run/user/1000/krb5cc/tktRIM8Eb
    Default principal: account1@UNIX1.FOREST1.POC.NET

    Valid starting Expires Service principal
    11/02/14 18:20:22 12/02/14 01:00:22 krbtgt/UNIX1.FOREST1.POC.NET@UNIX1.FOREST1.POC.NET

    The realisation was ksu was not referencing the cached credentials
    Hence, the system prompted for credentials the reason being the reference to the cache file used the wrong file descriptor stating DIR and should be a FILE

    To correct this
    account1@dc2:~> export KRB5CCNAME=FILE:/run/user/1000/krb5cc/tktRIM8Eb
    account1@dc2:~> klist
    Ticket cache: FILE:/run/user/1000/krb5cc/tktRIM8Eb
    Default principal: account1@UNIX1.FOREST1.POC.NET

    Valid starting Expires Service principal
    11/02/14 18:20:22 12/02/14 01:00:22 krbtgt/UNIX1.FOREST1.POC.NET@UNIX1.FOREST1.POC.NET


    account@dc2:~> ksu
    Authenticated account1root@UNIX1.FOREST1.POC.NET
    Access denied for root. <------------------------------------- FINDS the Cache file and stops prompting but still have access denied



    4) Now the problem was the "access denied" looking at the logs some evidence pointed to the pam files there was a direction to look at the "su-l" conf
    dc2 su: pam_unix(su-l:session): session closed for user root
    dc2 su: pam_systemd(su-l:session): pam_putenv: delete non-existent entry; XDG_RUNTIME_DIR
    ddc2 su: pam_unix(su-l:auth): authentication failure; logname=

    This was indicative but and sent the investigation around the houses looking at pam modules
    dc2:/etc/pam.d # ls
    atd common-account-pc common-password-pc cups login quagga su-l vmtoolsd
    chage common-account.pam-config-backup common-password.pam-config-backup groupadd newusers remote sudo vmtoolsd.rpmnew
    chfn common-auth common-session groupdel other samba systemd-user xdm
    chpasswd common-auth-pc common-session-pc groupmod passwd smtp useradd xdm-np
    chsh common-auth.pam-config-backup common-session.pam-config-backup init polkit-1 sshd userdel
    common-account common-password crond k5backup ppp su usermod
    Feb 11 18:51:13 dc2 ksu[13610]: 'ksu root' authenticated account1/root@UNIX1.FOREST1.POC.NET for account1 on /dev/pts/7
    Feb 11 18:51:13 dc2 slapd[1661]: daemon: epoll: listen=8 active_threads=0 tvp=zero
    Feb 11 18:51:13 dc2 ksu[13610]: pam_warn(ksu:account): function=[pam_sm_acct_mgmt] service=[ksu] terminal=[/dev/pts/7] user=[root] ruser=[account1] rhost=[<unknown>]

    SOLUTION was a missing link or file to a pam file called ksu , which linked into the warning above :-
    dc2:/etc/pam.d # ln -s su-l ksu
    dc2:/etc/pam.d # ls -la ksu
    lrwxrwxrwx 1 root root 4 Feb 11 21:31 ksu -> su-l
    dc2:/etc/pam.d # cat su-l
    #%PAM-1.0
    auth sufficient pam_rootok.so
    auth include common-auth
    account sufficient pam_rootok.so
    account include common-account
    password include common-password
    session include common-session
    session optional pam_xauth.so



    Know everything works
    account1@dc2:~> export KRB5CCNAME=FILE:/run/user/1000/krb5cc/tktRIM8Eb
    account1@dc2:~> ksu
    Authenticated account/root@UNIX1.FOREST1.POC.NET
    Account root: authorization for account1/root@UNIX1.FOREST1.POC.NET successful
    Changing uid to root (0)
    dc2:/home/account1 #


    The PAM modules was installed using the above how-to and
    pam-config --add --krb5
    This pam-config did not install this file or link.

    Conclusion - Distro problem with krb5

  2. #2

    Default Re: Kerberous broken for ksu MIT 1.11.3YAST package distro Problem Solved

    Quote Originally Posted by rmccorklrmccorkl View Post
    Install kerberos5 and successfully configure a KDC on a server using the yast krb5, this is a distro problem with opensuse 13.1

    SUMMARY: Missing PAM file /etc/pam.d/ksu , and wrong file descriptor

    Background

    Using some old SUSE how-tos

    http://doc.opensuse.org/products/dra...dmin.kdc.princ

    Though the majority installation work the system refused to authorise a ksu sessions

    This was typical output from ksu failed

    1) ksu
    account1@dc2:~> ksu
    WARNING: Your password may be exposed if you enter it here and are logged
    in remotely using an unsecure (non-encrypted) channel.
    Kerberos password for account1/root@UNIX1.FOREST1.POC.NET: :
    Authenticated account1/root@UNIX1.FOREST1.POC.NET
    Access denied for root.

    2) Using "journalctl -f" the following errors could be seen

    Feb 11 18:20:03 dc2 slapd[1661]: daemon: epoll: listen=7 active_threads=0 tvp=zero
    Feb 11 18:20:03 dc2 ksu[13086]: 'ksu root' authenticated account1/root@UNIX1.FOREST1.POC.NET for account1 on /dev/pts/5
    Feb 11 18:20:03 dc2 ksu[13086]: pam_warn(ksu:account): function=[pam_sm_acct_mgmt] service=[ksu] terminal=[/dev/pts/5] user=[root] ruser=[account1] rhost=[<unknown>]

    Scouring the forums I could find no solution but the problem was two fold

    3) klist showed part of the problem with are reference to a directory file descriptor
    account1@dc2:~> klist
    Ticket cache: DIR::/run/user/1000/krb5cc/tktRIM8Eb
    Default principal: account1@UNIX1.FOREST1.POC.NET

    Valid starting Expires Service principal
    11/02/14 18:20:22 12/02/14 01:00:22 krbtgt/UNIX1.FOREST1.POC.NET@UNIX1.FOREST1.POC.NET

    The realisation was ksu was not referencing the cached credentials
    Hence, the system prompted for credentials the reason being the reference to the cache file used the wrong file descriptor stating DIR and should be a FILE

    To correct this
    account1@dc2:~> export KRB5CCNAME=FILE:/run/user/1000/krb5cc/tktRIM8Eb
    account1@dc2:~> klist
    Ticket cache: FILE:/run/user/1000/krb5cc/tktRIM8Eb
    Default principal: account1@UNIX1.FOREST1.POC.NET

    Valid starting Expires Service principal
    11/02/14 18:20:22 12/02/14 01:00:22 krbtgt/UNIX1.FOREST1.POC.NET@UNIX1.FOREST1.POC.NET


    account@dc2:~> ksu
    Authenticated account1root@UNIX1.FOREST1.POC.NET
    Access denied for root. <------------------------------------- FINDS the Cache file and stops prompting but still have access denied



    4) Now the problem was the "access denied" looking at the logs some evidence pointed to the pam files there was a direction to look at the "su-l" conf
    dc2 su: pam_unix(su-l:session): session closed for user root
    dc2 su: pam_systemd(su-l:session): pam_putenv: delete non-existent entry; XDG_RUNTIME_DIR
    ddc2 su: pam_unix(su-l:auth): authentication failure; logname=

    This was indicative but and sent the investigation around the houses looking at pam modules
    dc2:/etc/pam.d # ls
    atd common-account-pc common-password-pc cups login quagga su-l vmtoolsd
    chage common-account.pam-config-backup common-password.pam-config-backup groupadd newusers remote sudo vmtoolsd.rpmnew
    chfn common-auth common-session groupdel other samba systemd-user xdm
    chpasswd common-auth-pc common-session-pc groupmod passwd smtp useradd xdm-np
    chsh common-auth.pam-config-backup common-session.pam-config-backup init polkit-1 sshd userdel
    common-account common-password crond k5backup ppp su usermod
    Feb 11 18:51:13 dc2 ksu[13610]: 'ksu root' authenticated account1/root@UNIX1.FOREST1.POC.NET for account1 on /dev/pts/7
    Feb 11 18:51:13 dc2 slapd[1661]: daemon: epoll: listen=8 active_threads=0 tvp=zero
    Feb 11 18:51:13 dc2 ksu[13610]: pam_warn(ksu:account): function=[pam_sm_acct_mgmt] service=[ksu] terminal=[/dev/pts/7] user=[root] ruser=[account1] rhost=[<unknown>]

    SOLUTION was a missing link or file to a pam file called ksu , which linked into the warning above :-
    dc2:/etc/pam.d # ln -s su-l ksu
    dc2:/etc/pam.d # ls -la ksu
    lrwxrwxrwx 1 root root 4 Feb 11 21:31 ksu -> su-l
    dc2:/etc/pam.d # cat su-l
    #%PAM-1.0
    auth sufficient pam_rootok.so
    auth include common-auth
    account sufficient pam_rootok.so
    account include common-account
    password include common-password
    session include common-session
    session optional pam_xauth.so



    Know everything works
    account1@dc2:~> export KRB5CCNAME=FILE:/run/user/1000/krb5cc/tktRIM8Eb
    account1@dc2:~> ksu
    Authenticated account/root@UNIX1.FOREST1.POC.NET
    Account root: authorization for account1/root@UNIX1.FOREST1.POC.NET successful
    Changing uid to root (0)
    dc2:/home/account1 #


    The PAM modules was installed using the above how-to and
    pam-config --add --krb5
    This pam-config did not install this file or link.

    Conclusion - Distro problem with krb5

    Further workaround edit your shell profile add the following
    # Sample .bashrc for SuSE Linux
    # Copyright (c) SuSE GmbH Nuernberg

    # There are 3 different types of shells in bash: the login shell, normal shell
    # and interactive shell. Login shells read ~/.profile and interactive shells
    # read ~/.bashrc; in our setup, /etc/profile sources ~/.bashrc - thus all


    test -s ~/.alias && . ~/.alias || true
    CC=`klist | grep Ticket | awk -F: '{print $4}'`
    export KRB5CCNAME=FILE:$CC

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •