You still have "Server not found in Kerberos database" in your log. Could you capture the TGS REQ and reply with ethereal ? Sometime the issue is a wrong hosts entry (e.g. the shorthostname is in front of the FQDN).
Markus "Jesper Angelo" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] >I have trimmed down the configs heavily, so now I still can't login, > but at least I get a login incorrect. Lets see... > >> Clear the auth log and login as I said /locally/ with a /pure/ /local/ >> user. See what happens working with this user. If you can work and >> you're not kicked out, then kinit to a principal, noting what klist >> (klist -aef --- if you want). > > Local login works (login as 'newbie'), which show in logs as: > ============================================================ > krbtest login: newbie > Password for newbie: (local password typed in) > --[LOG]----------------------------------------------------- > Aug 10 15:28:14 krbtest login[1123]: (pam_unix) session opened for user > newbie by LOGIN(uid=0) > ============================================================ > > Then kinit to user 'guru' on AD (AD reports user authenticated): > ============================================================ > [EMAIL PROTECTED]:~$ kinit guru > Password for [EMAIL PROTECTED]: > [EMAIL PROTECTED]:~$ > --[LOG]----------------------------------------------------- > (nothing happens) > ============================================================ > > klist for user shows: > ============================================================ > [EMAIL PROTECTED]:~$ klist -aef > Ticket cache: FILE:/tmp/krb5cc_1001 > Default principal: [EMAIL PROTECTED] > > Valid starting Expires Service principal > 08/10/06 15:32:27 08/11/06 01:30:45 > krbtgt/[EMAIL PROTECTED] > renew until 08/11/06 01:32:27, Flags: RIA > Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 > Addresses: (none) > > > Kerberos 4 ticket cache: /tmp/tkt1001 > klist: You have no tickets cached > [EMAIL PROTECTED]:~$ > --[LOG]----------------------------------------------------- > (nothing happens) > ============================================================ > > Keytab shows (ran as root): > ============================================================ > krbtest:~# klist -kt > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 5 01/01/70 01:00:00 host/[EMAIL PROTECTED] > krbtest:~# > --[LOG]----------------------------------------------------- > (nothing happens) > ============================================================ > > So far so good. If I then logout, adds krb to login in PAM, and logs > in, I get: > ============================================================ > krbtest login: newbie > Password for [EMAIL PROTECTED]: (ad password for newbie typed in) > Login incorrect > > Login: > --[LOG]----------------------------------------------------- > Aug 10 15:37:17 krbtest login[1151]: pam_krb5: > pam_sm_authenticate(login newbie): entry: > Aug 10 15:37:22 krbtest login[1151]: pam_krb5: verify_krb_v5_tgt(): > krb5_mk_req(): Server not found in Kerberos database > Aug 10 15:37:22 krbtest login[1151]: pam_krb5: > pam_sm_authenticate(login newbie): exit: failure > Aug 10 15:37:22 krbtest login[1151]: (pam_unix) authentication failure; > logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=newbie > Aug 10 15:37:25 krbtest login[1151]: FAILED LOGIN (1) on `tty1' FOR > `newbie', Permission denied > ============================================================ > > >> Then, if you /can/ kinit /and/ work with a local user, post the pam and >> kerberos configuration files. > > pam conf for login (/etc/pam.d/login): > ============================================================ > /etc/pam.d/login > auth sufficient pam_krb5.so debug > auth sufficient pam_unix.so try_first_pass debug > > password sufficient pam_krb5.so debug > password sufficient pam_unix.so debug > > account optional pam_krb5.so debug > account optional pam_unix.so debug > > session optional pam_krb5.so debug > session optional pam_unix.so debug > ============================================================ > > krb5.conf (/etc/krb5.conf) > ============================================================ > [logging] > default = FILE:/var/log/kerberos/krb5libs.log > kinit = FILE:/var/log/kerberos/kinit.log > kdc = FILE:/var/log/kerberos/krb5kdc.log > admin_server = FILE:/var/log/kerberos/kadmind.log > > [libdefaults] > debug = true > default_realm = BORSEN-ONLINE.DK > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24000 > > [realms] > BORSEN-ONLINE.DK = { > kdc = adtest.borsen-online.dk > admin_server = adtest.borsen-online.dk > # default_domain = borsen-online.dk > kpasswd_protocol= SET_CHANGE > } > > [domain_realm] > .borsen-online.dk = BORSEN-ONLINE.DK > # borsen-online.dk = BORSEN-ONLINE.DK > > [login] > debug = true > ============================================================ > > > Hope you or someone else can see whats going on...? > > > Thank you, > > Jesper Angelo > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
