PAM hangs after authenticating against 2003 AD

Markus Moeller huaraz at moeller.plus.com
Sat Aug 12 07:36:50 EDT 2006 

You still have "Server not found in Kerberos database" in your log.  Could 
you capture the TGS REQ and reply with ethereal ?
Sometime the issue is a wrong hosts entry (e.g. the shorthostname is in 
front of the FQDN).

Markus

"Jesper Angelo" <dkguru at gmail.com> wrote in message 
news:1155217312.436481.42170 at h48g2000cwc.googlegroups.com...
>I have trimmed down the configs heavily, so now I still can't login,
> but at least I get a login incorrect. Lets see...
>
>> Clear the auth log and login as I said /locally/ with a /pure/ /local/
>> user. See what happens working with this user. If you can work and
>> you're not kicked out, then kinit to a principal, noting what klist
>> (klist -aef --- if you want).
>
> Local login works (login as 'newbie'), which show in logs as:
> ============================================================
> krbtest login: newbie
> Password for newbie: (local password typed in)
> --[LOG]-----------------------------------------------------
> Aug 10 15:28:14 krbtest login[1123]: (pam_unix) session opened for user
> newbie by LOGIN(uid=0)
> ============================================================
>
> Then kinit to user 'guru' on AD (AD reports user authenticated):
> ============================================================
> newbie at krbtest:~$ kinit guru
> Password for guru at BORSEN-ONLINE.DK:
> newbie at krbtest:~$
> --[LOG]-----------------------------------------------------
> (nothing happens)
> ============================================================
>
> klist for user shows:
> ============================================================
> newbie at krbtest:~$ klist -aef
> Ticket cache: FILE:/tmp/krb5cc_1001
> Default principal: guru at BORSEN-ONLINE.DK
>
> Valid starting     Expires            Service principal
> 08/10/06 15:32:27  08/11/06 01:30:45
> krbtgt/BORSEN-ONLINE.DK at BORSEN-ONLINE.DK
>        renew until 08/11/06 01:32:27, Flags: RIA
>        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
>        Addresses: (none)
>
>
> Kerberos 4 ticket cache: /tmp/tkt1001
> klist: You have no tickets cached
> newbie at krbtest:~$
> --[LOG]-----------------------------------------------------
> (nothing happens)
> ============================================================
>
> Keytab shows (ran as root):
> ============================================================
> krbtest:~# klist -kt
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>   5 01/01/70 01:00:00 host/krbtest.borsen-online.dk at BORSEN-ONLINE.DK
> krbtest:~#
> --[LOG]-----------------------------------------------------
> (nothing happens)
> ============================================================
>
> So far so good. If I then logout, adds krb to login in PAM, and logs
> in, I get:
> ============================================================
> krbtest login: newbie
> Password for newbie at BORSEN-ONLINE.DK: (ad password for newbie typed in)
> Login incorrect
>
> Login:
> --[LOG]-----------------------------------------------------
> Aug 10 15:37:17 krbtest login[1151]: pam_krb5:
> pam_sm_authenticate(login newbie): entry:
> Aug 10 15:37:22 krbtest login[1151]: pam_krb5: verify_krb_v5_tgt():
> krb5_mk_req(): Server not found in Kerberos database
> Aug 10 15:37:22 krbtest login[1151]: pam_krb5:
> pam_sm_authenticate(login newbie): exit: failure
> Aug 10 15:37:22 krbtest login[1151]: (pam_unix) authentication failure;
> logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=newbie
> Aug 10 15:37:25 krbtest login[1151]: FAILED LOGIN (1) on `tty1' FOR
> `newbie', Permission denied
> ============================================================
>
>
>> Then, if you /can/ kinit /and/ work with a local user, post the pam and
>> kerberos configuration files.
>
> pam conf for login (/etc/pam.d/login):
> ============================================================
> /etc/pam.d/login
> auth            sufficient      pam_krb5.so debug
> auth            sufficient      pam_unix.so try_first_pass debug
>
> password        sufficient      pam_krb5.so debug
> password        sufficient      pam_unix.so debug
>
> account         optional        pam_krb5.so debug
> account         optional        pam_unix.so debug
>
> session         optional        pam_krb5.so debug
> session         optional        pam_unix.so debug
> ============================================================
>
> krb5.conf (/etc/krb5.conf)
> ============================================================
> [logging]
>        default         =       FILE:/var/log/kerberos/krb5libs.log
>        kinit           =       FILE:/var/log/kerberos/kinit.log
>        kdc             =       FILE:/var/log/kerberos/krb5kdc.log
>        admin_server    =       FILE:/var/log/kerberos/kadmind.log
>
> [libdefaults]
>        debug = true
>        default_realm = BORSEN-ONLINE.DK
>        dns_lookup_realm = true
>        dns_lookup_kdc = true
>        ticket_lifetime = 24000
>
> [realms]
>        BORSEN-ONLINE.DK = {
>        kdc             = adtest.borsen-online.dk
>        admin_server    = adtest.borsen-online.dk
> #       default_domain  = borsen-online.dk
>        kpasswd_protocol= SET_CHANGE
>        }
>
> [domain_realm]
>        .borsen-online.dk       = BORSEN-ONLINE.DK
> #       borsen-online.dk        = BORSEN-ONLINE.DK
>
> [login]
>        debug = true
> ============================================================
>
>
> Hope you or someone else can see whats going on...?
>
>
> Thank you,
>
> Jesper Angelo
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list