pam_krb5 can't locate my KDC
Michael B Allen
mba2000 at ioplex.com
Mon Aug 21 01:29:24 EDT 2006
On Mon, 21 Aug 2006 05:02:06 +0100 (BST)
sayali k <sayali_s_kulkarni at yahoo.co.in> wrote:
> Hi Michael,
> From what I know about Kerberos and the configurations for the same, ideally there is one more section which I feel should be included in the krb5.conf file. It is called the libdefaults section where we can specify the default values for some of the parameters like the domain name, ticket lifetime etc. The section looks something like this:
>
> [libdefaults]
> default_realm = MYDOMAIN.COM
<snip>
> Can you try adding the libdefaults section as well in the krb5.conf file?
>
With a libdefaults section I no longer see any _kerberos.foo.net TXT
lookups so the change definitely had an effect. Unfortunately the capture
also shows it still doesn't attempt to communicate with the KDC at all.
That was using pam.d/sshd. I tried telnet with a pam.d/telnet but for
some reason the file is ignored. Are xinetd services handled special? Does
a localhost logon bypass pam?
If I add [appdefaults] pam = { debug = true }, add *.debug to
/etc/syslog.conf and restart syslog I should see some debugging output
but I get absolutely nothing.
And I thought I was good at Linux stuff.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
More information about the Kerberos
mailing list