PAM hangs after authenticating against 2003 AD

Jesper Angelo dkguru at gmail.com
Thu Aug 10 09:41:52 EDT 2006 

I have trimmed down the configs heavily, so now I still can't login,
but at least I get a login incorrect. Lets see...

> Clear the auth log and login as I said /locally/ with a /pure/ /local/
> user. See what happens working with this user. If you can work and
> you're not kicked out, then kinit to a principal, noting what klist
> (klist -aef --- if you want).

Local login works (login as 'newbie'), which show in logs as:
============================================================
krbtest login: newbie
Password for newbie: (local password typed in)
--[LOG]-----------------------------------------------------
Aug 10 15:28:14 krbtest login[1123]: (pam_unix) session opened for user
newbie by LOGIN(uid=0)
============================================================

Then kinit to user 'guru' on AD (AD reports user authenticated):
============================================================
newbie at krbtest:~$ kinit guru
Password for guru at BORSEN-ONLINE.DK:
newbie at krbtest:~$
--[LOG]-----------------------------------------------------
(nothing happens)
============================================================

klist for user shows:
============================================================
newbie at krbtest:~$ klist -aef
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: guru at BORSEN-ONLINE.DK

Valid starting     Expires            Service principal
08/10/06 15:32:27  08/11/06 01:30:45
krbtgt/BORSEN-ONLINE.DK at BORSEN-ONLINE.DK
        renew until 08/11/06 01:32:27, Flags: RIA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
        Addresses: (none)


Kerberos 4 ticket cache: /tmp/tkt1001
klist: You have no tickets cached
newbie at krbtest:~$
--[LOG]-----------------------------------------------------
(nothing happens)
============================================================

Keytab shows (ran as root):
============================================================
krbtest:~# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   5 01/01/70 01:00:00 host/krbtest.borsen-online.dk at BORSEN-ONLINE.DK
krbtest:~#
--[LOG]-----------------------------------------------------
(nothing happens)
============================================================

So far so good. If I then logout, adds krb to login in PAM, and logs
in, I get:
============================================================
krbtest login: newbie
Password for newbie at BORSEN-ONLINE.DK: (ad password for newbie typed in)
Login incorrect

Login:
--[LOG]-----------------------------------------------------
Aug 10 15:37:17 krbtest login[1151]: pam_krb5:
pam_sm_authenticate(login newbie): entry:
Aug 10 15:37:22 krbtest login[1151]: pam_krb5: verify_krb_v5_tgt():
krb5_mk_req(): Server not found in Kerberos database
Aug 10 15:37:22 krbtest login[1151]: pam_krb5:
pam_sm_authenticate(login newbie): exit: failure
Aug 10 15:37:22 krbtest login[1151]: (pam_unix) authentication failure;
logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=newbie
Aug 10 15:37:25 krbtest login[1151]: FAILED LOGIN (1) on `tty1' FOR
`newbie', Permission denied
============================================================


> Then, if you /can/ kinit /and/ work with a local user, post the pam and
> kerberos configuration files.

pam conf for login (/etc/pam.d/login):
============================================================
/etc/pam.d/login
auth            sufficient      pam_krb5.so debug
auth            sufficient      pam_unix.so try_first_pass debug

password        sufficient      pam_krb5.so debug
password        sufficient      pam_unix.so debug

account         optional        pam_krb5.so debug
account         optional        pam_unix.so debug

session         optional        pam_krb5.so debug
session         optional        pam_unix.so debug
============================================================

krb5.conf (/etc/krb5.conf)
============================================================
[logging]
        default         =       FILE:/var/log/kerberos/krb5libs.log
        kinit           =       FILE:/var/log/kerberos/kinit.log
        kdc             =       FILE:/var/log/kerberos/krb5kdc.log
        admin_server    =       FILE:/var/log/kerberos/kadmind.log

[libdefaults]
        debug = true
        default_realm = BORSEN-ONLINE.DK
        dns_lookup_realm = true
        dns_lookup_kdc = true
        ticket_lifetime = 24000

[realms]
        BORSEN-ONLINE.DK = {
        kdc             = adtest.borsen-online.dk
        admin_server    = adtest.borsen-online.dk
#       default_domain  = borsen-online.dk
        kpasswd_protocol= SET_CHANGE
        }

[domain_realm]
        .borsen-online.dk       = BORSEN-ONLINE.DK
#       borsen-online.dk        = BORSEN-ONLINE.DK

[login]
        debug = true
============================================================


Hope you or someone else can see whats going on...?


Thank you,

Jesper Angelo

More information about the Kerberos mailing list