Tickets accepted upon login but still prompted for password

Suresh Narayan Srinivasan sureshnarayan.s at sonata-software.com
Mon Mar 18 00:02:58 EST 2002


hi

you are missing a .k5login profile on your linux box, in the home directory
for the user you want to log in as.

you may try creating a .k5login file with an entry of your principal name
(user at REALM.COM) with which you got your initial TGT.

try this. it should work

suresh

-----Original Message-----
From: arechenberg at shermfin.com [mailto:arechenberg at shermfin.com]
Sent: 15 March 2002 21:33
To: kerberos at mit.edu
Subject: Tickets accepted upon login but still prompted for password


I have a Red Hat Linux 7.1 box setup to use Kerberos authentication
for telnet access.  The KDC is a Windows 2000 Server (SP2).  I have
successfully setup a service principal for the Linux box in the 2000
domain and I have transferred the keytab to the Linux box and imported
it into /etc/krb5.keytab.

A user can successfully obtain tickets from the KDC while logging in,
but when I try to test an automatic telnet login the user's tickets
are accepted but the user is still prompted for a password.  I would
prefer the users not to be prompted once they obtain their Kerberos
tickets.

Am I missing something so obvious it's stupid? :)  I have krb5-telnet
activated in xinetd and have specified it to use login.krb5.  I also
have the default PAM config files for RH7.1.  I have tried using
authconfig to include Kerberos authentication, but that did not make a
difference.  Below are relevant configuration files and sample outputs
from a telnet session.

Any help would be greatly appreciated.  Let me know if you need any
more information.  Please CC: my email address with any responses. 
Thank you in advance.

Regards,
Andrew Rechenberg
Network Team, Sherman Financial Group
arechenberg(at)shermanfinancialgroup.com


***********************************************************
[root at rh71test ~]# telnet rh71test.shermfin.com
Trying 10.1.1.55...
Connected to rh71test.shermfin.com.
Escape character is '^]'.

    rh71test.shermfin.com (Linux release 2.4.2-2 #1 Sun Apr 8 20:41:30
EDT 2001) (4)

login: arechenberg
Password for arechenberg:
Last login: Fri Mar 15 10:38:46 from rh71test

[arechenberg at rh71test ~]$ klist -fe
Ticket cache: FILE:/tmp/krb5cc_p31503
Default principal: arechenberg at SHERMFIN.COM

Valid starting     Expires            Service principal
03/15/02 10:49:24  03/15/02 20:49:24  krbtgt/SHERMFIN.COM at SHERMFIN.COM
        Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
cbc mode with CRC-32
03/15/02 10:49:24  03/15/02 10:54:24 
host/rh71test.shermfin.com at SHERMFIN.COM
        Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
cbc mode with CRC-32


Kerberos 4 ticket cache: /tmp/tkt601
klist: You have no tickets cached
[arechenberg at rh71test ~]$ telnet -a rh71test.shermfin.com
Trying 10.1.1.55...
Connected to rh71test.shermfin.com (10.1.1.55).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``arechenberg at SHERMFIN.COM'' ]
Password for arechenberg:

^^^^^^^^^^^^^^^^^^^^^^^^^
Tickets accepted, but still prompted for password. :\


[root at rh71test ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = SHERMFIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_tgs_enctypes = des-cbc-crc des-cbc-md5
 default_tkt_enctypes = des-cbc-crc des-cbc-md5
 forwardable = true
 proxiable = true

[realms]
 SHERMFIN.COM = {
  kdc = mykdc.shermfin.com:88
  default_domain = shermfin.com
 }

[domain_realm]
 .shermfin.com = SHERMFIN.COM
 shermfin.com = SHERMFIN.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false


[root at rh71test ~]# cat /etc/xinetd.d/krb5-telnet
# default: off
# description: The kerberized telnet server accepts normal telnet
sessions, \
#              but can also use Kerberos 5 authentication.
service telnet
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/kerberos/sbin/telnetd
        server_args     = -a valid -L /bin/login.krb5
        log_on_failure  += USERID
        disable         = no
}

[root at rh71test ~]# cat /etc/pam.d/login
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

[root at rh71test ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos
*********************************************************************
Disclaimer: The information in this e-mail and any attachments is
confidential / privileged. It is intended solely for the addressee or
addressees. If you are not the addressee indicated in this message, you may
not copy or deliver this message to anyone. In such case, you should destroy
this message and kindly notify the sender by reply email. Please advise
immediately if you or your employer does not consent to Internet email for
messages of this kind.
*********************************************************************



More information about the Kerberos mailing list