PAM hangs after authenticating against 2003 AD

Russ Allbery rra at
Fri Aug 11 21:57:54 EDT 2006

Markus Moeller <huaraz at> writes:

> pam_krb5 checks if the kdc you talk to is not a fake by using the host
> principal in the default keytab. Look at the traffic on port 88 with
> ethereal and you should see a tgt request for host/server-fqdn. Some pam
> modules have an option to not do this verification, check your man
> pages.

You shouldn't see a TGT request.  You should see a request for a service
ticket (a KRB_TGS_REQ).

>>> --[LOG]-----------------------------------------------------
>>> Aug 10 15:37:17 krbtest login[1151]: pam_krb5:
>>> pam_sm_authenticate(login newbie): entry:
>>> Aug 10 15:37:22 krbtest login[1151]: pam_krb5: verify_krb_v5_tgt():
>>> krb5_mk_req(): Server not found in Kerberos database
>>> Aug 10 15:37:22 krbtest login[1151]: pam_krb5:
>>> pam_sm_authenticate(login newbie): exit: failure

This log message smells like the Debian PAM module.  (I just uploaded a
new version of that module with much better error reporting, btw, but it's
only in unstable at the moment.)  That error message, if coming from the
Debian PAM module, says that you have a key for the local system in its
keytab file, but when the server attempted to generate an authenticator
for that key, the KDC said that the principal didn't exist in the KDC.  In
other words, I would suspect either an outdated keytab file or a keytab
file for some realm other than the system's default realm.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list