pam_krb5 can't locate my KDC

Michael B Allen mba2000 at ioplex.com
Mon Aug 21 12:05:24 EDT 2006 

On Mon, 21 Aug 2006 10:39:13 -0400
Jeffrey Hutzelman <jhutz at cmu.edu> wrote:

> 
> 
> On Sunday, August 20, 2006 11:19:13 PM -0400 Michael B Allen 
> <mba2000 at ioplex.com> wrote:
> 
> > I was just trying pam_krb5 for kicks but it can't find my KDC. My
> > /etc/krb5.conf is just:
> 
> It helps a lot if you quote actual error messages, instead of paraphrasing 
> them.  Similarly, it's going to be a lot easier to track down the problem 
> if you send your real krb5.conf, instead of trying to obfuscate the names. 
> Perhaps you could also tell us the name of the machine you're trying this 
> on.

[root at quark pam.d]# cat sshd
#%PAM-1.0
auth       requisite    pam_krb5.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

[root at quark etc]# cat krb5.conf
[libdefaults]
        default_realm = WIN.NET

[appdefaults]
  pam = {
    debug = true
  }

[realms]
        WIN.NET = {
                kdc = ts0.win.net
        }

[domain_realm]
        .foo.net = WIN.NET
        foo.net = WIN.NET

[miallen at quark src]$ ssh user5 at quark.foo.net
user5 at quark.foo.net's password: 
Permission denied, please try again.

There is no user5 on the local system. My expectation is that pam_krb5.so
should use the supplied password to get a TGT thereby authenticating me
(I'm assuming not having a shell or home directory is not interfering
with this step).

No names have been obfuscated. These files are exactly as they appear
above.

Looking at Ethereal shows only the DNS lookup for quark.foo.net. There
is no KDC communication.

Interestingly if I have the same auth line in /etc/pam.d/hddtemp and
run that program I actually get the expected KDC communication but of
course I don't have a principal for 'root' and therefore it fails with
KRB5KDC_ERR_S_UNKNOWN_PRINCIPAL.

Perhaps my expectations are misguided? What does pam_krb5 do exactly?

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/

More information about the Kerberos mailing list