[30572] in Kerberos
SUMMARY: disabling krb524d attempts - causes login hangs
daemon@ATHENA.MIT.EDU (Fletcher Cocquyt)
Fri Dec 19 17:20:07 2008
To: kerberos@mit.edu
From: Fletcher Cocquyt <fcocquyt@stanford.edu>
Date: Fri, 19 Dec 2008 22:18:51 +0000 (UTC)
Message-ID: <loom.20081219T221604-105@post.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Nalin Dahyabhai <nalin <at> redhat.com> writes:
>
> On Fri, Dec 19, 2008 at 05:16:13PM +0000, Fletcher Cocquyt wrote:
> > So in /etc/pam.d/system-auth-ac (the same place I added debug for logging krb
> >
> > and the only pam.d with krb config) I set:
> >
> > krb4_convert=false krb4_convert_524=false
>
> That should work in the 'pam' portion of the [appdefaults] section
> in krb5.conf. If you're passing it in as an argument, try
> "no_krb4_convert" and "no_krb4_convert_524" instead.
>
> HTH,
>
> Nalin
DingDingDing! we have a winner!
Added krb4_convert_524=false to the appdefaults section (note, krb4_convert =
false already existed):
[appdefaults]
default_lifetime = 25hrs
krb4_get_tickets = false
krb4_convert = false
krb4_convert_524 = false
krb5_get_tickets = true
krb5_get_forwardable = true
Solved the issue - kerberos authentication proceeds completes swiftly without
hanging on the krb524 conversion
Thanks to Nalin and all who provided feedback
Cheers,
Fletcher
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
