Welcome! As I wrote in subject, problem is with logging to the linux machine, with kerberos authorization..
This is my first time when I am configuring kerberos.. so please be forgiving ;) The basics: What I done: On Windows (win server 2008R2 – computer name: active, full name: active.linux.domain) - Installed Active Directory, Microsoft Identity for UNIX and DNS server) - create forest linux.domain - add linux box record (ubuntu.linux.domain) to windows DNS - Create SRV record for windows machine (active.linux.domain) - Add user (ldapquery) to made authorization for linux boxes and create credentials for it. - create regular user testuser, with the unix attributes (uid, group, home dir etc..) - create grup for this user On Linux box (ubuntu.linux.domain) - install packages : krb5-* libkrb-* - download and compile nss-pam-ldapd-0.8.10.tar.gz - install and configure nslcd deamon - installed and configured NTP server, to get current time from Windows machine What is important: - ldapsearch gives the results perfectly - getent passwd - also shows remote AD users - when I am logging to the machine, it let me in correctly (but without kerberos auth) Now, when I try to log-in to the server using the credentials from AD, I get the following logs: Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth): pam_sm_authenticate: entry (nonull) Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth): (user testuser) attempting authentication as [email protected] Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth): (user testuser) krb5_get_init_creds_password: Clock skew too great Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth): authentication failure; logname=testuser uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.159 Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth): pam_sm_authenticate: exit (failure) Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.159 user=testuser Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:account): skipping non-Kerberos login Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore) Aug 14 01:58:16 ubuntu32 sshd[15831]: Accepted password for testuser from 192.168.2.159 port 51594 ssh2 Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred): pam_sm_setcred: entry (establish) Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred): no context found, creating one Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred): (user testuser) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred): pam_sm_setcred: exit (success) Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:session): pam_sm_open_session: entry Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:session): no context found, creating one Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:session): (user testuser) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:session): pam_sm_open_session: exit (ignore) Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_unix(sshd:session): session opened for user testuser by (uid=0) Aug 14 01:58:16 ubuntu32 sshd[15947]: pam_krb5(sshd:setcred): pam_sm_setcred: entry (establish) Aug 14 01:58:16 ubuntu32 sshd[15947]: pam_krb5(sshd:setcred): no context found, creating one Aug 14 01:58:16 ubuntu32 sshd[15947]: pam_krb5(sshd:setcred): (user testuser) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login Aug 14 01:58:16 ubuntu32 sshd[15947]: pam_krb5(sshd:setcred): pam_sm_setcred: exit (success) Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_krb5(sshd:session): pam_sm_close_session: entry (silent) Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_krb5(sshd:session): pam_sm_close_session: exit (success) Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_unix(sshd:session): session closed for user testuser Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred): pam_sm_setcred: entry (delete) Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred): pam_sm_setcred: exit (success) My athorization goes well, but as we see in logs, kerberos isn't used ;/ What could it be? I will be glad for any hints, suggestions, or solutions.. How to test it deeper, what to correct, check? Regards! -- Best Regards George ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
