Re: PAM hangs after authenticating against 2003 AD

Sat, 12 Aug 2006 04:20:44 -0700 

I have trimmed down the configs heavily, so now I still can't login,
but at least I get a login incorrect. Lets see...

> Clear the auth log and login as I said /locally/ with a /pure/ /local/
> user. See what happens working with this user. If you can work and
> you're not kicked out, then kinit to a principal, noting what klist
> (klist -aef --- if you want).

Local login works (login as 'newbie'), which show in logs as:
============================================================
krbtest login: newbie
Password for newbie: (local password typed in)
--[LOG]-----------------------------------------------------
Aug 10 15:28:14 krbtest login[1123]: (pam_unix) session opened for user
newbie by LOGIN(uid=0)
============================================================

Then kinit to user 'guru' on AD (AD reports user authenticated):
============================================================
[EMAIL PROTECTED]:~$ kinit guru
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED]:~$
--[LOG]-----------------------------------------------------
(nothing happens)
============================================================

klist for user shows:
============================================================
[EMAIL PROTECTED]:~$ klist -aef
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: [EMAIL PROTECTED]

Valid starting     Expires            Service principal
08/10/06 15:32:27  08/11/06 01:30:45
krbtgt/[EMAIL PROTECTED]
        renew until 08/11/06 01:32:27, Flags: RIA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
        Addresses: (none)


Kerberos 4 ticket cache: /tmp/tkt1001
klist: You have no tickets cached
[EMAIL PROTECTED]:~$
--[LOG]-----------------------------------------------------
(nothing happens)
============================================================

Keytab shows (ran as root):
============================================================
krbtest:~# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   5 01/01/70 01:00:00 host/[EMAIL PROTECTED]
krbtest:~#
--[LOG]-----------------------------------------------------
(nothing happens)
============================================================

So far so good. If I then logout, adds krb to login in PAM, and logs
in, I get:
============================================================
krbtest login: newbie
Password for [EMAIL PROTECTED]: (ad password for newbie typed in)
Login incorrect

Login:
--[LOG]-----------------------------------------------------
Aug 10 15:37:17 krbtest login[1151]: pam_krb5:
pam_sm_authenticate(login newbie): entry:
Aug 10 15:37:22 krbtest login[1151]: pam_krb5: verify_krb_v5_tgt():
krb5_mk_req(): Server not found in Kerberos database
Aug 10 15:37:22 krbtest login[1151]: pam_krb5:
pam_sm_authenticate(login newbie): exit: failure
Aug 10 15:37:22 krbtest login[1151]: (pam_unix) authentication failure;
logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=newbie
Aug 10 15:37:25 krbtest login[1151]: FAILED LOGIN (1) on `tty1' FOR
`newbie', Permission denied
============================================================


> Then, if you /can/ kinit /and/ work with a local user, post the pam and
> kerberos configuration files.

pam conf for login (/etc/pam.d/login):
============================================================
/etc/pam.d/login
auth            sufficient      pam_krb5.so debug
auth            sufficient      pam_unix.so try_first_pass debug

password        sufficient      pam_krb5.so debug
password        sufficient      pam_unix.so debug

account         optional        pam_krb5.so debug
account         optional        pam_unix.so debug

session         optional        pam_krb5.so debug
session         optional        pam_unix.so debug
============================================================

krb5.conf (/etc/krb5.conf)
============================================================
[logging]
        default         =       FILE:/var/log/kerberos/krb5libs.log
        kinit           =       FILE:/var/log/kerberos/kinit.log
        kdc             =       FILE:/var/log/kerberos/krb5kdc.log
        admin_server    =       FILE:/var/log/kerberos/kadmind.log

[libdefaults]
        debug = true
        default_realm = BORSEN-ONLINE.DK
        dns_lookup_realm = true
        dns_lookup_kdc = true
        ticket_lifetime = 24000

[realms]
        BORSEN-ONLINE.DK = {
        kdc             = adtest.borsen-online.dk
        admin_server    = adtest.borsen-online.dk
#       default_domain  = borsen-online.dk
        kpasswd_protocol= SET_CHANGE
        }

[domain_realm]
        .borsen-online.dk       = BORSEN-ONLINE.DK
#       borsen-online.dk        = BORSEN-ONLINE.DK

[login]
        debug = true
============================================================


Hope you or someone else can see whats going on...?


Thank you,

Jesper Angelo

________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to