Linux : krb5 and pam

Sensei senseiwa at mac.com
Tue Apr 11 14:40:10 EDT 2006 

On 2006-04-11 01:37:06 +0200, Quinten <quinten at xs4all.nl> said:

>>>> Naive question... can you kinit the NOT_DEFAULT_REALM?
>>> 
> 
> Buck: To clear out my misconceptions on the definition of 
> authentication, I meant logging on with SSH from another machine. I am 
> indeed able to kinit succesfully as both users from both domains when I 
> log on locally as one of the users. See my writing below.

Ok.

>> This is probably something bad with your configuration. You *MUST* be 
>> able to kinit default realm principals (without @REALM) and non-default 
>> ones (with @REALM).
>> 
> 
> I did some more testing by su-ing to users that are members from 
> different domains. The su is not kerberized (ksu) so they won't receive 
> a ticket. Then I performed the kinit command and was able to get a 
> ticket for each user from each domain. So I think it is save to 
> conclude that it is not the kerberos config that has problems.

So let's say, you log in as root, and then you can kinit as 
user1 at REALM1 as well as user2 at REALM2. This involves pam_unix.so and 
pure kinit, and makes pretty sure as you say, krb5.conf is ok as well 
as the cryptography for each user.

> Logging on to the server by using SSH however, allows only one user 
> from one domain to be logged on: the user from the domain that is set 
> default in the /etc/krb5.conf.

Now, let's talk about the host keytab files. Do you have 
host/FQDN at REALM1 in the file? Do you have host/FQDN at REALM2? What about 
their KVNOs? I forgot that once and I wasn't able to login again via 
ssh.

> I heavily suspect the pam_krb5 module in this case; it is able to 
> perform kerberos authentication for the default domain. For the non 
> default domain the debug output in /var/adm/messages is able to get the 
> user from the kerberos database but then fails to validate the password.
> 
> I will setup a tcpdump to see which kdc it is trying to contact in the 
> latter case. And recompile some pam_krb5 modules to see wether there 
> will be differences. I will let you know.

Well, I hope you forgot the keytabs and with that you have everything 
running smoothly, otherwise... well, a tcpdump should be fine :)

Before that, why don't you add ``debug'' to the pam_krb5.so lines in 
your pam settings? It should work for auth and password only (if my 
memory doesn't fail), so you will se a more verbose log and hopefully 
some hints.


>> PS. I ask, don't be angry: are all the times set correctly with some 
>> ntp based solution?
>> 
>> 
> 
> *This makes me go bezerk completely* :-).

Have mercy :D

> It is a very valid question because it will cause weird problems when 
> the local times differ too much. But we have set NTP for all servers 
> and clients.

Good. One thing I noticed on many clients here is that an ntpdate at 
boot solution is not good, since it can produce large time drifts if 
you don't reboot the clients often. A cron job was my solution.

Just my 2 cents... I hope it will help!

-- 
Sensei <senseiwa at mac.com>

The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true.      [J. Robert Oppenheimer]

More information about the Kerberos mailing list