Kerberos and PAM authentication

Chris Schadl cschadl at hotmail.com
Tue May 13 18:50:25 EDT 2003 

Hi,

I'm trying to get my network configured so that stuff authenticates against
the Kerberos realm using PAM.  So far I've installe the krb5-kdc and
krb5-admin-server packages in Debian 3.0, created the principles on the KDC
and created/imported the host principles into the keytab on the KDC.  While
I am able to get a TGT using `kinit`, I am unable to get anything to
authenticate against the KDC using PAM.  For instance, this is what I get
when I try to use the `su` command (with "auth sufficient pam_krb5.so" added
towards the top of the PAM stack, of course)

cds at lain:~$ su chris
Password for chris at LEET.ORG:
su: Authentication service cannot retrieve authentication info.
Sorry.

This is what shows up in /var/log/messages:

May 13 17:44:26 lain krb5kdc[2258]: AS_REQ (3 etypes {16 3 1})
192.168.0.2(88): ISSUE: authtime 1052865866, etypes {rep=16 tkt=16 ses=16},
chris at LEET.ORG for krbtgt/LEET.ORG at LEET.ORG
May 13 17:44:26 lain krb5kdc[2258]: TGS_REQ (3 etypes {16 3 1})
192.168.0.2(88): ISSUE: authtime 1052865866, etypes {rep=16 tkt=16 ses=16},
chris at LEET.ORG for host/lain.leet.org at LEET.ORG
May 13 17:44:26 lain su[2538]: pam_acct_mgmt: Authentication service cannot
retrieve authentication info.

And here is what the principle looks like:

root at lain:/home/cds# kadmin.local -q "getprinc chris"
Authenticating as principal root/admin at LEET.ORG with password.
Principal: chris at LEET.ORG
Expiration date: [never]
Last password change: Tue May 13 14:54:11 CDT 2003
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue May 13 17:28:17 CDT 2003 (chris/admin at LEET.ORG)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
Attributes:
Policy: [none]

My /etc/krb5.conf is just consists of the default realm definition, and I
have the following SRV records in DNS:
_kerberos._udp      IN  SRV 01 00 88    lain.leet.org.
_kerberos._tcp      IN  SRV 01 00 88    lain.leet.org.
_kpasswd._udp       IN  SRV 01 00 464   lain.leet.org.
_kerberos-adm._tcp  IN  SRV 01 00 749   lain.leet.org.
_kerberos           IN  TXT             LEET.ORG

Anyway, I have no clue whats going wrong.  This stuff worked without a hitch
when I had it running on a hemidal KDC a while back.  If anyone knows what
the problem might be I'd love to hear from you.

More information about the Kerberos mailing list