Hi, a recent campus firewall change has caused user's kerberos logins to hang on this system. The problem has been isolated to a krb524 attempt (which used to swiftly fail - but now tries for 60-90 seconds before failing).
How can we explicitly disable the krb524 communication attempt (campus does not run that service) Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: flag: no external Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: flag: warn Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: ticket lifetime: 0 Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: renewable lifetime: 0 Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: minimum uid: 100 Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: banner: Kerberos 5 Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: ccache dir: /tmp Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: keytab: FILE:/etc /krb5.keytab Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: called to authenticate 'fcocquyt', realm 'stanford.edu' Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: authenticating '[email protected]' Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: trying previously-entered password for 'fcocquyt', allowing libkrb5 to prompt for more Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: authenticating '[email protected]' to 'krbtgt/[email protected]' Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: krb5_get_init_creds_password(krbtgt/[email protected]) returned 0 (Success) Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: got result 0 (Success) Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: obtaining v4-compatible key Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: obtained des-cbc-crc v5 creds Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: converting v5 creds to v4 creds (etype = 1) ... ...<hang > 60 seconds > ... ... many thanks ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
