[33151] in Kerberos

home help back first fref pref prev next nref lref last post

Logging in with kerberos fails, but acquiring a ticket with kinit

daemon@ATHENA.MIT.EDU (Thomas Schweikle)
Wed Jan 26 22:37:17 2011

From: Thomas Schweikle <tps@vr-web.de>
Date: Wed, 26 Jan 2011 23:38:13 +0100
Message-ID: <8qbm2nFu3hU1@mid.individual.net>
Mime-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hi!

I've set up Ubuntu to auth against a kerberos server. The client is
equiped with:
krb5-config
krb5-user
libgssapi-krb5-2
libkrb5-3
libkrb5support0
libpam-krb5

/etc/krb5.config holds:
[libdefaults]
        default_realm = EXAMPLE.COM
        #dns_lookup_kdc = true
        #dns_lookup_realm = true

    # The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        EXAMPLE.COM = {
                kdc = srv.example.com
                admin_server = srv.example.com
                default_domain = example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

[login]
        krb4_convert = true
        krb4_get_tickets = false

[logging]
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        default = FILE:/var/log/kerberos/krb5lib.log
        admin_server = FILE:/var/log/kerberos/kadmin.log

PAM (/etc/pam.d/common-auth):
auth    [success=2 default=ignore]
      pam_krb5.so minimum_uid=1000
auth    [success=1 default=ignore]
      pam_unix.so nullok_secure try_first_pass
auth    requisite
      pam_deny.so
auth    required
      pam_permit.so

Now local login:
user@host:~$ su - user
Password:
su: Fehler bei Authentifizierung
user@host:~$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
user@host:~$ kinit user
Password for user@EXAMPLE.COM:
user@host:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@EXAMPLE.COM

Valid starting     Expires            Service principal
01/26/11 23:30:12  01/27/11 09:30:12  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 01/27/11 23:30:07

Any idea, whats wrong here?


-- 
Thomas
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post