pam_krb5 can't locate my KDC

Michael B Allen mba2000 at
Mon Aug 21 12:05:24 EDT 2006

On Mon, 21 Aug 2006 10:39:13 -0400
Jeffrey Hutzelman <jhutz at> wrote:

> On Sunday, August 20, 2006 11:19:13 PM -0400 Michael B Allen 
> <mba2000 at> wrote:
> > I was just trying pam_krb5 for kicks but it can't find my KDC. My
> > /etc/krb5.conf is just:
> It helps a lot if you quote actual error messages, instead of paraphrasing 
> them.  Similarly, it's going to be a lot easier to track down the problem 
> if you send your real krb5.conf, instead of trying to obfuscate the names. 
> Perhaps you could also tell us the name of the machine you're trying this 
> on.

[root at quark pam.d]# cat sshd
auth       requisite
account    required service=system-auth
password   required service=system-auth
session    required service=system-auth

[root at quark etc]# cat krb5.conf
        default_realm = WIN.NET

  pam = {
    debug = true

        WIN.NET = {
                kdc =

[domain_realm] = WIN.NET = WIN.NET

[miallen at quark src]$ ssh user5 at
user5 at's password: 
Permission denied, please try again.

There is no user5 on the local system. My expectation is that
should use the supplied password to get a TGT thereby authenticating me
(I'm assuming not having a shell or home directory is not interfering
with this step).

No names have been obfuscated. These files are exactly as they appear

Looking at Ethereal shows only the DNS lookup for There
is no KDC communication.

Interestingly if I have the same auth line in /etc/pam.d/hddtemp and
run that program I actually get the expected KDC communication but of
course I don't have a principal for 'root' and therefore it fails with

Perhaps my expectations are misguided? What does pam_krb5 do exactly?


Michael B Allen
PHP Active Directory SSO

More information about the Kerberos mailing list