Hi! I feel sorry for posting this to the wrong list, but right now, neither sf.net nor stacken.kth.se let me join any Kerberos-related lists, so... I hope some of you are familiar with Kerberos, too.
I've got a problem with PAM and libpam_krb5 (libpam-heimdal in Debian). The pam.d files are all (probably) set up right, because at my home site, they work fine. Just in my newly setup Debian Sarge network, it doesn't. There, it is a Heimdal KDC with Heimdal Clients. kinit works very well and so does AFS, when I obtain tickets manually, just the PAM module does not work. If I add the 'debug' flag, I get messages in /var/log/auth.log like Jun 21 17:29:20 files login[10766]: pam_krb5: pam_sm_authenticate(su tpfeiffer): entry: Jun 21 17:29:23 files login[10766]: pam_krb5: verify_krb_v5_tgt(): krb5_sname_to_principal(): Cannot determine realm for host Jun 21 17:29:23 files login[10766]: pam_krb5: pam_sm_authenticate(su tpfeiffer): exit: success And then the login promt shows: "Login incorrect". Nevertheless, the heimdal-kdc.log on the KDC shows that a ticket is requested for the correct user. If I try the MIT Kerberos PAM module (libpam-krb5 in Debian), I get a different message: Jun 21 17:29:20 files login[10766]: pam_krb5: pam_sm_authenticate(su tpfeiffer): entry: Jun 21 17:29:23 files login[10766]: pam_krb5: verify_krb_v5_tgt(): krb5_kt_read_service_key(): No such file or directory Jun 21 17:29:23 files login[10766]: pam_krb5: pam_sm_authenticate(su tpfeiffer): exit: success At the login prompt, there is a "Authentication service cannot retrieve authentication info." message now instead of "Login incorrect". My question is: why doesn't the first module find the realm if kinit works without problems?? Is there anything left I have to configure? The krb5.conf file shows the correct FQDN of the server machines and there are also domain -> realm mappings. Thanks for your help! Bye Tobias -- ...and justice for all!
signature.asc
Description: OpenPGP digital signature
