Pam kerberos vs. Kinit
Douglas E. Engert
deengert at anl.gov
Fri Mar 18 10:38:42 EST 2005
Luis Daniel Lucio Quiroz wrote:
> The problem I see on uskng pam krb is that ticket is on server not on
> workstation. Maybe you could use flag addressless to fix this issue. but I
> am not sure.
No. The problem as I understand it, is that on the same machine doing a kinit
vs using the pam_krb5 give diffentet results. The pam_krb5 in effect is
doing a kinit for you. One works the other does not.
A network trace would help a lot.
If Wyllys is correct then doing a ls -l on the ticket cache after
the kinit could give a clue. A ticket without a PAC is 200-300 bytes.
With a PAC it would be more like 1000 bytes.
>
> LD
>
> Le Vendredi 18 Mars 2005 07:10, Wyllys Ingersoll a écrit :
>
>>Douglas E. Engert wrote:
>>
>>>>I've just run another test and discovered that I can successfully
>>>>log into the host initially (via PAM kerberos library and SSH), and
>>>>I don't get error 52. I've got a ticket in my cache and
>>>>everything. Kerb error 52 only occurs if I'm using kinit from the
>>>>shell.
>>>
>>> You could be right on the cut over point, and maybe addressless vs
>>> with address tickets keep the ticket just small enough.
>>
>>When the client does not do pre-authentication, does AD still
>>send PAC data? I thought it did not, but I'm not certain.
>>
>>-Wyllys
>>________________________________________________
>>Kerberos mailing list Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list