Linux : krb5 and pam

Quinten quinten at xs4all.nl
Tue Apr 4 11:22:04 EDT 2006 

Sensei schreef:
> On 2006-03-30 01:21:04 +0200, Quinten <quinten at xs4all.nl> said:
> 
>>   Our environment is currently using 2 AD/realms. I am trying to set 
>> up a RHEL3 host to authenticate users from both realms. If the 
>> default_realm in /etc/krb5.conf is set to one realm, the users in the 
>> other realm cannot authenticate and vice versa. So there is no issue 
>> on any settings, they just seem unable to coexist.
> 
> Naive question... can you kinit the NOT_DEFAULT_REALM?

No, but if I make the other realm default I can. All users from realm, 
say AD1, can authenticate if AD1 is default in krb5.conf. All users from 
realm, say AD2, can authenticate if AD2 is default in krb5.conf.

> 
>>   The pam_krb5.so module in /etc/pam.d/system-auth is set to 
>> "sufficient". I have tried to add another entry:
>>
>> account   sufficient   /lib/security/$ISA/pam_krb5.so.0
>> account   sufficient   /lib/security/$ISA/pam_krb5.so.0\ 
>> realm=not.my.default
> 
> Is that a backslash?

No, typo in posting, not in the file

> 
>> There is a similar setup we have on Solaris hosts that does actually 
>> work.
> 
> Similar? How? What is the difference?

On the Solaris host, a workaround has been established by copying and 
renaming the pam_krb5 module and add this module entry in the pam.conf 
with the option realm=ad2.domain.com. If the first entry fails (default 
realm) pam continues with the second, renamed entry with the option that 
overrides the default realm.

> 
>> I am not quite sure whether this is a PAM or a pam_krb5 issue. Does 
>> anyone have any suggestions or ideas how to solve this?
> 
> Post more informations, pam settings, krb5.conf on both sides, ...

The settings below, /etc/krb5.conf, /etc/pam.d/system-auth allow users
from AD1 because it's the default realm in krb5.conf. Users from the AD2
are not authenticated: verbose debug shows that uid and gid are actually
found (NIS) but are not found in the kerberos database.

system-auth
===========
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /usr/local/lib/security/pam_krb5.so
realm=AD2.DOMAIN.COM use_first_pass

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_krb5.so debug
account     sufficient    /usr/local/lib/security/pam_krb5.so
realm=AD2.DOMAIN.COM

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow nis
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /usr/local/lib/security/pam_krb5.so
realm=AD2.DOMAIN.COM use_authtok

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     sufficient    /lib/security/$ISA/pam_krb5.so debug
session     sufficient    /usr/local/lib/security/pam_krb5.so
realm=AD2.DOMAIN.COM


krb5.conf
=========

[libdefaults]
  default_realm = AD1.DOMAIN.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true

[realms]
  AD1.DOMAIN.COM = {
   kdc = dc001.ad1.domain.com:88
   kdc = dc003.ad1.domain.com:88
   admin_server = dc001.ad1.domain.com:749
   kpasswd_protocol = SET_CHANGE
  }

  AD2.DOMAIN.COM = {
   kdc = dc001.ad2.domain.com:88
   kdc = dc002.ad2.domain.com:88
   admin_server = dc001.ad2.domain.com:749
   kpasswd_protocol = SET_CHANGE
  }

[domain_realm]
         .ad1.domain.com = AD1.DOMAIN.COM
         ad1.domain.com = AD1.DOMAIN.COM
         .ad2.domain.com = AD2.DOMAIN.COM
         ad2.domain.com = AD2.DOMAIN.COM

[appdefaults]
  pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }
  kinit = {
   renewable = true
   forwardable = true
  }
  login = {
   krb5_get_tickets = true
  }

messages
========
Mar 28 14:02:28 lsftest001 sshd(pam_unix)[6488]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vaughan  user=
user1
Mar 28 14:02:28 lsftest001 sshd[6488]: pam_krb5: authenticate error:
Client not found in Kerberos database (-1765328378)
Mar 28 14:02:28 lsftest001 sshd[6488]: pam_krb5: authentication fails
for `user1'

And more verbose:

Apr  4 12:59:22 lsftest001 sshd(pam_unix)[8484]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vaughan  user=user2
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_config() called
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: Creating a ticket with 
addresses
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: krb4_convert false
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: password-changing 
banner set to `Kerberos 5'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: ccache directory set to 
`/tmp'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets forwardable
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting initial timeout 
to 1
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: keytab file name set to 
`/etc/krb5.keytab'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting maximum timeout 
to 30
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: will only attempt to 
authenticate users when UID >= 0
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets proxiable
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting renewable 
lifetime to 36000
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: required_tgs set to 
`host/lsftest001'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting ticket lifetime 
to 36000
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting timeout shift to 2
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: use_authtok false
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user_check true
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: validate false
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn true
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn_period 604800
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_sm_authenticate() 
called (prc = Success)
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: default Kerberos realm 
is `AD1.DOMAIN.COM'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_get_user returned 
`user2'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user is `user2'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: `user2' has uid 35637, 
gid 40
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: attempting to 
authenticate `user2'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_int_tkt returned 
Client not found in Kerberos database
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authenticate error: 
Client not found in Kerberos database (-1765328378)
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authentication fails 
for `user2'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_sm_authenticate 
returning 10 (User not known to the underlying authentication module)
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_config() called
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: Creating a ticket with 
addresses
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: krb4_convert false
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: password-changing 
banner set to `Kerberos 5'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: ccache directory set to 
`/tmp'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets forwardable
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting initial timeout 
to 1
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: keytab file name set to 
`/etc/krb5.keytab'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting maximum timeout 
to 30
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: will only attempt to 
authenticate users when UID >= 0
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets proxiable
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting renewable 
lifetime to 36000
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: required_tgs set to 
`host/lsftest001'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting ticket lifetime 
to 36000
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting timeout shift to 2
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: use_authtok false
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user_check true
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: validate false
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn true
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn_period 604800
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_sm_authenticate() 
called (prc = Success)
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: default Kerberos realm 
is `AD2.DOMAIN.COM'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_get_user returned 
`user2'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user is `user2'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: `user2' has uid 35637, 
gid 40
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: attempting to 
authenticate `user2'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_int_tkt returned 
Client not found in Kerberos database
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authenticate error: 
Client not found in Kerberos database (-1765328378)
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authentication fails 
for `user2'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets proxiable
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting renewable 
lifetime to 36000
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: required_tgs set to 
`host/lsftest001'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting ticket lifetime 
to 36000
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting timeout shift to 2
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: use_authtok false
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user_check true
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: validate false
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn true
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn_period 604800
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_sm_authenticate() 
called (prc = Success)
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: default Kerberos realm 
is `AD2.DOMAIN.COM'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_get_user returned 
`user2'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user is `user2'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: `user2' has uid 35637, 
gid 40
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: attempting to 
authenticate `user2'
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_int_tkt returned 
Client not found in Kerberos database
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authenticate error: 
Client not found in Kerberos database (-1765328378)
Apr  4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authentication fails 
for `user2'


thanks,
Quinten

More information about the Kerberos mailing list