[19239] in Kerberos
Kerberos and PAM authentication
daemon@ATHENA.MIT.EDU (Chris Schadl)
Tue May 13 18:54:30 2003
From: "Chris Schadl" <cschadl@hotmail.com>
Date: Tue, 13 May 2003 17:50:25 -0500
Message-ID: <vc2tpdcsikjl45@corp.supernews.com>
To: kerberos@MIT.EDU
Errors-To: kerberos-bounces@mit.edu
Hi,
I'm trying to get my network configured so that stuff authenticates against
the Kerberos realm using PAM. So far I've installe the krb5-kdc and
krb5-admin-server packages in Debian 3.0, created the principles on the KDC
and created/imported the host principles into the keytab on the KDC. While
I am able to get a TGT using `kinit`, I am unable to get anything to
authenticate against the KDC using PAM. For instance, this is what I get
when I try to use the `su` command (with "auth sufficient pam_krb5.so" added
towards the top of the PAM stack, of course)
cds@lain:~$ su chris
Password for chris@LEET.ORG:
su: Authentication service cannot retrieve authentication info.
Sorry.
This is what shows up in /var/log/messages:
May 13 17:44:26 lain krb5kdc[2258]: AS_REQ (3 etypes {16 3 1})
192.168.0.2(88): ISSUE: authtime 1052865866, etypes {rep=16 tkt=16 ses=16},
chris@LEET.ORG for krbtgt/LEET.ORG@LEET.ORG
May 13 17:44:26 lain krb5kdc[2258]: TGS_REQ (3 etypes {16 3 1})
192.168.0.2(88): ISSUE: authtime 1052865866, etypes {rep=16 tkt=16 ses=16},
chris@LEET.ORG for host/lain.leet.org@LEET.ORG
May 13 17:44:26 lain su[2538]: pam_acct_mgmt: Authentication service cannot
retrieve authentication info.
And here is what the principle looks like:
root@lain:/home/cds# kadmin.local -q "getprinc chris"
Authenticating as principal root/admin@LEET.ORG with password.
Principal: chris@LEET.ORG
Expiration date: [never]
Last password change: Tue May 13 14:54:11 CDT 2003
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue May 13 17:28:17 CDT 2003 (chris/admin@LEET.ORG)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
Attributes:
Policy: [none]
My /etc/krb5.conf is just consists of the default realm definition, and I
have the following SRV records in DNS:
_kerberos._udp IN SRV 01 00 88 lain.leet.org.
_kerberos._tcp IN SRV 01 00 88 lain.leet.org.
_kpasswd._udp IN SRV 01 00 464 lain.leet.org.
_kerberos-adm._tcp IN SRV 01 00 749 lain.leet.org.
_kerberos IN TXT LEET.ORG
Anyway, I have no clue whats going wrong. This stuff worked without a hitch
when I had it running on a hemidal KDC a while back. If anyone knows what
the problem might be I'd love to hear from you.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
