Re: pam_krb5 can't locate my KDC

Mon, 21 Aug 2006 09:23:47 -0700 

On Mon, 21 Aug 2006 10:39:13 -0400
Jeffrey Hutzelman <[EMAIL PROTECTED]> wrote:

> 
> 
> On Sunday, August 20, 2006 11:19:13 PM -0400 Michael B Allen 
> <[EMAIL PROTECTED]> wrote:
> 
> > I was just trying pam_krb5 for kicks but it can't find my KDC. My
> > /etc/krb5.conf is just:
> 
> It helps a lot if you quote actual error messages, instead of paraphrasing 
> them.  Similarly, it's going to be a lot easier to track down the problem 
> if you send your real krb5.conf, instead of trying to obfuscate the names. 
> Perhaps you could also tell us the name of the machine you're trying this 
> on.

[EMAIL PROTECTED] pam.d]# cat sshd
#%PAM-1.0
auth       requisite    pam_krb5.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

[EMAIL PROTECTED] etc]# cat krb5.conf
[libdefaults]
        default_realm = WIN.NET

[appdefaults]
  pam = {
    debug = true
  }

[realms]
        WIN.NET = {
                kdc = ts0.win.net
        }

[domain_realm]
        .foo.net = WIN.NET
        foo.net = WIN.NET

[EMAIL PROTECTED] src]$ ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password: 
Permission denied, please try again.

There is no user5 on the local system. My expectation is that pam_krb5.so
should use the supplied password to get a TGT thereby authenticating me
(I'm assuming not having a shell or home directory is not interfering
with this step).

No names have been obfuscated. These files are exactly as they appear
above.

Looking at Ethereal shows only the DNS lookup for quark.foo.net. There
is no KDC communication.

Interestingly if I have the same auth line in /etc/pam.d/hddtemp and
run that program I actually get the expected KDC communication but of
course I don't have a principal for 'root' and therefore it fails with
KRB5KDC_ERR_S_UNKNOWN_PRINCIPAL.

Perhaps my expectations are misguided? What does pam_krb5 do exactly?

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to