OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found

Mon Nov 28 03:53:12 EST 2005

Greetings,

I'm working on the infrastructure of a medium size client/server
environment using an Active Directory running on Windows Server 2003 for
central authentication of users on linux clients.
Additionally OpenAFS is running using Kerberos authentication through
Active Directory as well.

Now I want to grant users remote access to their AFS data by logging in
into a central OpenSSH server running on linux.

As authentication at the Active Directory works well when logging in
locally on the linux clients using PAM I wanted to use PAM also for the
SSH access.

Unfortunately I've run into problems trying to get the OpenSSH setup
running. I have tried OpenSSH PAM support and OpenSSH's internal
kerberos support. But both result in errors.

When using PAM authentication (using the same PAM stack we're using for
local authentication on the clients that works with pam_krb5.so) I can
successfully login on the OpenSSH server but don't get the Kerberos5
ticket written to /tmp/krb5cc_[...]. The following error is written to
the logs:

--
-bash: GSSAPI Error: Miscellaneous failure (No Credentials cache found)
--

Also the variable KRB5CCNAME isn't defined. I've investigated about this
problem already on the net and tried different setups and approaches but
to no avail. I need the kerberos5 ticket for use of OpenAFS.

When trying internal Kerberos support of OpenSSH I can't login at all
while getting the following error messages in the log:

--
GSSAPI Error: Miscellaneous failure (Credentials cache permission incorrect)
Failed password for <user> from <ip> port <port> ssh2
--

I had a look at the responsible source code in auth-krb5.c. By doing
some debugging there I found out that the following code fragment fails:

auth-krb5.c:137
---
if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
					authctxt->pw->pw_name)) {
	problem = -1;
	goto out;
}
---

When I comment out this if-block then I can login using OpenSSH's
internal kerberos support and even get my kerberos5 ticket and KRB5CCNAME.

I'm not that involved into kerberos on the coding side. What does the
krb5_kuserok method do exactly? Why could it fail? Is it critical to
comment it out?

I'd be happy if somebody had a solution or an advice for me. The best
would be to get PAM authentication to correctly write the kerberos
ticket to file.

Oh, and here is some more data about my OpenSSH server system:

It's running on Gentoo Linux using

- OpenSSH 4.2_p1 with kerberos, ldap and pam support enabled
- mit-krb5-1.4.1-r2 with krb4 support enabled
- pam_krb5-1.0-r1
- pam-0.78-r3

Thanks in advance for your support,

Matthias Gerstner
--
Matthias.Gerstner at nefkom.net