Rohit Kumar Mehta <[EMAIL PROTECTED]> writes: > What does not work, is logging in with my Active Directory password. So > I enabled debugging in PAM, and noticed the following errors when I try > to log in:
> Sep 8 17:25:44 nfsv4c sshd[5103]: pam_krb5: pam_sm_authenticate(ssh > rohitm): entry: > Sep 8 17:25:45 nfsv4c sshd[5103]: pam_krb5: verify_krb_v5_tgt(): > krb5_sname_to_principal(): Cannot determine realm for host > Sep 8 17:25:45 nfsv4c sshd[5103]: pam_krb5: pam_sm_authenticate(ssh > rohitm): exit: failure > Now my realm is set in the krb5.conf file (I just kinit username, and it > knows my default realm), so do I have to do something else for pam to > understand it? It's attempting to verify the credentials against a host keytab and can't find the Kerberos realm for the host. You can probably fix this by adding an appropriate mapping to the [domain_realm] section of your krb5.conf. > Also is the krb5.keytab file necessary? It looks like I have to run > commands against as administrator on active directory to generate this > file and if I don't have to do this, I'd rather not! It's not necessary. The default behavior is to skip the check if you have no krb5.keytab file or if it contains no usable keys. However, the authentication will fail if it can't get even that far due to some other more basic problem, such as not being able to figure out the realm of the host. This code is a bit better in the pam-krb5 that's in current Debian unstable. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
