PAM hangs after authenticating against 2003 AD

Jesper Angelo dkguru at gmail.com
Tue Aug 8 06:09:12 EDT 2006 

Hi,

I was looking for a PAM group, but couldnt find one, so I hope someone
here might have the knowledge.

I am trying to log into my linux box, using password from a Win 2003
AD.
Everything seems to be talking, but after login,
everything hangs for 30 seconds and then exits out.


So if anyone has any idea on adding more debug info, I would appriciate
it - im kinda stuck...





This is what happens on the client:
------------------------------------------------------
krbtest:~# login test
Password:

------------------------------------------------------
(60 seconds passes, then back to command line with timeout from login
program)



The log says (Two lines, showing up right after entering password):
------------------------------------------------------
Aug  8 11:50:45 localhost login[13538]: (pam_unix) authentication
failure; logname=newbie uid=0 euid=0 tty=tty1 ruser= rhost=
user=newbie
Aug  8 11:50:45 localhost login[13538]: pam_krb5:
pam_sm_authenticate(login newbie): entry:
------------------------------------------------------
(And nothing else - i've tried adding "debug" as many places I could.)



The AD has a record saying i'm approved:
------------------------------------------------------
Authentication Ticket Request:
 	User Name:		test
 	Supplied Realm Name:	REALM.COM
 	User ID:			REALM\test
 	Service Name:		krbtgt
 	Service ID:		REALM\krbtgt
 	Ticket Options:		0x50000010
 	Result Code:		-
 	Ticket Encryption Type:	0x17
 	Pre-Authentication Type:	2
 	Client Address:		1.0.242.250
 	Certificate Issuer Name:
 	Certificate Serial Number:
 	Certificate Thumbprint:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
------------------------------------------------------



If I do a tcpdump i get:
------------------------------------------------------
krbtest:~# tcpdump -s 1500 -x -n -p udp port 88
11:47:00.506913 IP 1.0.242.250.32874 > 1.0.242.242.88:  v5
        0x0000:  4500 00d2 e308 4000 4011 6f25 0100 f2fa
E..... at .@.o%....
        0x0010:  0100 f2f2 806a 0058 00be 2fc0 6a81 b330
.....j.X../.j..0
                            (snip snip snip)
------------------------------------------------------
4 packets in total - Client->AD, AD->Client, Client->AD, AD->Client.



Kerberos is installed using Debian packages, login configured by adding
a line to the end of /etc/pam.d/login:
------------------------------------------------------
(snip)

@include common-kerberos
------------------------------------------------------



...where common-kerberos is:
------------------------------------------------------
session         required        pam_mkhomedir.so skel=/etc/skel/
umask=0022
auth            sufficient      pam_krb5.so try_first_pass forwardable
debug
account         sufficient      pam_krb5.so debug
password        sufficient      pam_krb5.so try_first_pass debug
------------------------------------------------------
(I tried to add the user locally (with another pw), and remove
'pam_mkhomedir.so' but it didnt help... same result)

More information about the Kerberos mailing list