[35949] in Kerberos
Re: root login via Kerberos5 - "User not known to the underlying
daemon@ATHENA.MIT.EDU (Wendy Lin)
Sat Mar 29 09:01:30 2014
MIME-Version: 1.0
In-Reply-To: <CA+j=ERpz4BB0M04pe9iWC=vKRMz4TBL1cTeNTwNFTh6khO+XQQ@mail.gmail.com>
Date: Sat, 29 Mar 2014 14:01:07 +0100
Message-ID: <CA+j=ERouC8YuQsiCfb5DxEng__asBkQ8xwX4i=Kf4YPeDf31Lw@mail.gmail.com>
From: Wendy Lin <wendlin1974@gmail.com>
To: "<kerberos@mit.edu>" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 27 March 2014 18:12, Wendy Lin <wendlin1974@gmail.com> wrote:
> On 24 March 2014 11:58, Predrag Zecevic [Unix Systems Administrator]
> <Predrag.Zecevic@2e-systems.com> wrote:
>> On 03/24/14 11:31 AM, Wendy Lin wrote:
>>> I am trying to allow user root (uid=0) to be authenticated via
>>> Kerberos5 at login time, too, but if I do I get a "User not known to
>>> the underlying authentication module" error and login is refused.
>>>
>>> OS is Suse 13.1
>>>
>>> pam config is:
>>> grep -r krb5 /etc/pam.d/
>>> /etc/pam.d/common-password-pc:password sufficient pam_krb5.so
>>> /etc/pam.d/common-account-pc:account required pam_krb5.so
>>> use_first_pass
>>> /etc/pam.d/common-auth-pc:auth sufficient pam_krb5.so use_first_pass
>>> /etc/pam.d/common-session-pc:session optional pam_krb5.so
>>>
>>> What am I doing wrong?
>>>
>>> Wendy
>> Hi,
>>
>> * does other users have similar problem?
>> (user root is 'defined' on each system before staring to use Kerberos, so try to find other account similar to root and try to
>> use it)...
>
> There is a root@<PRINCIPAL>
>
>> * does you Kerberos have LDAP as backend DB?
>> If yes (like I would expect), then probably user root is no defined, so you can add (to pam configuration) something like:
>> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
>
> No, we use the built in database backend in this case.
I turned on pam_krb5 debugging and received this in /var/log/messages:
pam_krb5[3808]: user 'root' was not authenticated by pam_krb5,
returning "User not known to the underlying authentication module"
What does this mean? I clearly have a root principal for EXAMPLE.COM:
$ klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 root/admin@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 root/admin@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 root/admin@EXAMPLE.COM (des3-cbc-sha1)
2 root/admin@EXAMPLE.COM (arcfour-hmac)
11 root@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
11 root@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
11 root@EXAMPLE.COM (des3-cbc-sha1)
11 root@EXAMPLE.COM (arcfour-hmac)
2 host/example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 host/example.com@EXAMPLE.COM (des3-cbc-sha1)
2 host/example.com@EXAMPLE.COM (arcfour-hmac)
2 nfs/example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 nfs/example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 nfs/example.com@EXAMPLE.COM (des3-cbc-sha1)
2 nfs/example.com@EXAMPLE.COM (arcfour-hmac)
2 test001@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 test001@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 test001@EXAMPLE.COM (des3-cbc-sha1)
2 test001@EXAMPLE.COM (arcfour-hmac)
$ kadmin -q 'listprincs'
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM:
K/M@EXAMPLE.COM
host/example.com@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
nfs/example.com@EXAMPLE.COM
root/admin@EXAMPLE.COM
root@EXAMPLE.COM
test001@EXAMPLE.COM
Wendy
PS: Full log is:
login: pam_krb5[3808]: flag: debug
login: pam_krb5[3808]: flag: don't always_allow_localname
login: pam_krb5[3808]: flag: no ignore_afs
login: pam_krb5[3808]: flag: no null_afs
login: pam_krb5[3808]: flag: cred_session
login: pam_krb5[3808]: flag: no ignore_k5login
login: pam_krb5[3808]: flag: user_check
login: pam_krb5[3808]: will try previously set password first
login: pam_krb5[3808]: will let libkrb5 ask questions
login: pam_krb5[3808]: flag: no use_shmem
login: pam_krb5[3808]: flag: no external
login: pam_krb5[3808]: flag: no multiple_ccaches
login: pam_krb5[3808]: flag: validate
login: pam_krb5[3808]: flag: warn
login: pam_krb5[3808]: minimum uid: 0
login: pam_krb5[3808]: banner: Kerberos 5
login: pam_krb5[3808]: ccache dir: /tmp
login: pam_krb5[3808]: ccname template: DIR:/run/user/%U/krb5cc_XXXXXX
login: pam_krb5[3808]: keytab: FILE:/etc/krb5.keytab
login: pam_krb5[3808]: token strategy: 2b,rxk5
login: pam_krb5[3808]: pam_acct_mgmt called for 'root', realm 'EXAMPLE.COM'
login: pam_krb5[3808]: user 'root' was not authenticated by pam_krb5,
returning "User not known to the underlying authentication module"
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
