kerberos + Pam issue

Mike Zupan mzupan at meso.com
Tue Mar 30 13:50:05 EST 2004 

I am trying to setup a simple network auth setup on a small network.
Around 100 servers. I am using RH 9 and this is my server setup

[root at monitor sbin]# rpm -qa | grep krb5
pam_krb5-1.60-1
krb5-devel-1.2.7-14
krb5-libs-1.2.7-14
krb5-server-1.2.7-14

My conf files look ok.

Here are the packages on the one client I'm testing.

[root at homer log]#  rpm -qa | grep krb5
krb5-libs-1.2.7-14
krb5-devel-1.2.7-14
krb5-workstation-1.2.7-14
pam_krb5-1.60-1
krb5-server-1.2.7-14


When I try to login via console with a user i added via the server
kadmin.local:  addprinc wind
WARNING: no policy specified for wind at MESO.COM; defaulting to no policy
Enter password for principal "wind at MESO.COM": 
Re-enter password for principal "wind at MESO.COM": 


I get the following error in /var/log/messages on the client

Mar 30 13:39:20 homer login(pam_unix)[21652]: check pass; user unknown
Mar 30 13:39:20 homer login(pam_unix)[21652]: authentication failure;
logname= uid=0 euid=0 tty=tty2 ruser= rhost= 
Mar 30 13:39:20 homer login[21652]: pam_krb5: unable to determine
uid/gid for user
Mar 30 13:39:20 homer login[21652]: pam_krb5: authentication fails for
`wind'
Mar 30 13:39:22 homer login[21652]: FAILED LOGIN 1 FROM (null) FOR wind,
User not known to the underlying authentication module


thw wind user is valid on the server and seems to be setup. I get no log
on the server.. I also setup my user on the server using the same
command and this same user is also valid in the clients local passwd
list and this is what i get in the logs for the client

Mar 30 13:48:59 homer login(pam_unix)[21661]: session opened for user
mzupan by (uid=0)
Mar 30 13:48:59 homer  -- mzupan[21661]: LOGIN ON tty2 BY mzupan

ok since it finds it locally it doesn't try kerberos but i get this in
the kerberos logs

zupan at MESO.COM for krbtgt/MESO.COM at MESO.COM
Mar 30 13:27:03 monitor.meso.com krb5kdc[31435](info): AS_REQ (3 etypes
{16 3 1}) 66.193.31.32(88): ISSUE: authtime 1080671223, etypes {rep=16
tkt=16 ses=16}, mzupan at MESO.COM for krbtgt/MESO.COM at MESO.COM


so it seems there's an issue somewhere and i cannot figure it out. If
you need to see my configs i'll post them

Thanks
Mike



-- 
Mike Zupan <mzupan at meso.com>

More information about the Kerberos mailing list