Linux : krb5 and pam
Quinten
quinten at xs4all.nl
Tue Apr 4 11:22:04 EDT 2006
Sensei schreef:
> On 2006-03-30 01:21:04 +0200, Quinten <quinten at xs4all.nl> said:
>
>> Our environment is currently using 2 AD/realms. I am trying to set
>> up a RHEL3 host to authenticate users from both realms. If the
>> default_realm in /etc/krb5.conf is set to one realm, the users in the
>> other realm cannot authenticate and vice versa. So there is no issue
>> on any settings, they just seem unable to coexist.
>
> Naive question... can you kinit the NOT_DEFAULT_REALM?
No, but if I make the other realm default I can. All users from realm,
say AD1, can authenticate if AD1 is default in krb5.conf. All users from
realm, say AD2, can authenticate if AD2 is default in krb5.conf.
>
>> The pam_krb5.so module in /etc/pam.d/system-auth is set to
>> "sufficient". I have tried to add another entry:
>>
>> account sufficient /lib/security/$ISA/pam_krb5.so.0
>> account sufficient /lib/security/$ISA/pam_krb5.so.0\
>> realm=not.my.default
>
> Is that a backslash?
No, typo in posting, not in the file
>
>> There is a similar setup we have on Solaris hosts that does actually
>> work.
>
> Similar? How? What is the difference?
On the Solaris host, a workaround has been established by copying and
renaming the pam_krb5 module and add this module entry in the pam.conf
with the option realm=ad2.domain.com. If the first entry fails (default
realm) pam continues with the second, renamed entry with the option that
overrides the default realm.
>
>> I am not quite sure whether this is a PAM or a pam_krb5 issue. Does
>> anyone have any suggestions or ideas how to solve this?
>
> Post more informations, pam settings, krb5.conf on both sides, ...
The settings below, /etc/krb5.conf, /etc/pam.d/system-auth allow users
from AD1 because it's the default realm in krb5.conf. Users from the AD2
are not authenticated: verbose debug shows that uid and gid are actually
found (NIS) but are not found in the kerberos database.
system-auth
===========
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth sufficient /usr/local/lib/security/pam_krb5.so
realm=AD2.DOMAIN.COM use_first_pass
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_krb5.so debug
account sufficient /usr/local/lib/security/pam_krb5.so
realm=AD2.DOMAIN.COM
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow nis
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password sufficient /usr/local/lib/security/pam_krb5.so
realm=AD2.DOMAIN.COM use_authtok
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session sufficient /lib/security/$ISA/pam_krb5.so debug
session sufficient /usr/local/lib/security/pam_krb5.so
realm=AD2.DOMAIN.COM
krb5.conf
=========
[libdefaults]
default_realm = AD1.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
AD1.DOMAIN.COM = {
kdc = dc001.ad1.domain.com:88
kdc = dc003.ad1.domain.com:88
admin_server = dc001.ad1.domain.com:749
kpasswd_protocol = SET_CHANGE
}
AD2.DOMAIN.COM = {
kdc = dc001.ad2.domain.com:88
kdc = dc002.ad2.domain.com:88
admin_server = dc001.ad2.domain.com:749
kpasswd_protocol = SET_CHANGE
}
[domain_realm]
.ad1.domain.com = AD1.DOMAIN.COM
ad1.domain.com = AD1.DOMAIN.COM
.ad2.domain.com = AD2.DOMAIN.COM
ad2.domain.com = AD2.DOMAIN.COM
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
kinit = {
renewable = true
forwardable = true
}
login = {
krb5_get_tickets = true
}
messages
========
Mar 28 14:02:28 lsftest001 sshd(pam_unix)[6488]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vaughan user=
user1
Mar 28 14:02:28 lsftest001 sshd[6488]: pam_krb5: authenticate error:
Client not found in Kerberos database (-1765328378)
Mar 28 14:02:28 lsftest001 sshd[6488]: pam_krb5: authentication fails
for `user1'
And more verbose:
Apr 4 12:59:22 lsftest001 sshd(pam_unix)[8484]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vaughan user=user2
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_config() called
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: Creating a ticket with
addresses
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: krb4_convert false
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: password-changing
banner set to `Kerberos 5'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: ccache directory set to
`/tmp'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets forwardable
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting initial timeout
to 1
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: keytab file name set to
`/etc/krb5.keytab'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting maximum timeout
to 30
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: will only attempt to
authenticate users when UID >= 0
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets proxiable
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting renewable
lifetime to 36000
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: required_tgs set to
`host/lsftest001'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting ticket lifetime
to 36000
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting timeout shift to 2
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: use_authtok false
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user_check true
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: validate false
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn true
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn_period 604800
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_sm_authenticate()
called (prc = Success)
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: default Kerberos realm
is `AD1.DOMAIN.COM'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_get_user returned
`user2'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user is `user2'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: `user2' has uid 35637,
gid 40
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: attempting to
authenticate `user2'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_int_tkt returned
Client not found in Kerberos database
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authenticate error:
Client not found in Kerberos database (-1765328378)
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authentication fails
for `user2'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_sm_authenticate
returning 10 (User not known to the underlying authentication module)
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_config() called
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: Creating a ticket with
addresses
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: krb4_convert false
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: password-changing
banner set to `Kerberos 5'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: ccache directory set to
`/tmp'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets forwardable
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting initial timeout
to 1
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: keytab file name set to
`/etc/krb5.keytab'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting maximum timeout
to 30
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: will only attempt to
authenticate users when UID >= 0
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets proxiable
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting renewable
lifetime to 36000
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: required_tgs set to
`host/lsftest001'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting ticket lifetime
to 36000
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting timeout shift to 2
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: use_authtok false
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user_check true
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: validate false
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn true
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn_period 604800
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_sm_authenticate()
called (prc = Success)
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: default Kerberos realm
is `AD2.DOMAIN.COM'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_get_user returned
`user2'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user is `user2'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: `user2' has uid 35637,
gid 40
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: attempting to
authenticate `user2'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_int_tkt returned
Client not found in Kerberos database
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authenticate error:
Client not found in Kerberos database (-1765328378)
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authentication fails
for `user2'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets proxiable
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting renewable
lifetime to 36000
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: required_tgs set to
`host/lsftest001'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting ticket lifetime
to 36000
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting timeout shift to 2
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: use_authtok false
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user_check true
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: validate false
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn true
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn_period 604800
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_sm_authenticate()
called (prc = Success)
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: default Kerberos realm
is `AD2.DOMAIN.COM'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_get_user returned
`user2'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user is `user2'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: `user2' has uid 35637,
gid 40
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: attempting to
authenticate `user2'
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_int_tkt returned
Client not found in Kerberos database
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authenticate error:
Client not found in Kerberos database (-1765328378)
Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authentication fails
for `user2'
thanks,
Quinten
More information about the Kerberos
mailing list