pam_krb5 can't locate my KDC
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Aug 21 12:20:12 EDT 2006
On Monday, August 21, 2006 12:05:24 PM -0400 Michael B Allen
<mba2000 at ioplex.com> wrote:
> [miallen at quark src]$ ssh user5 at quark.foo.net
> user5 at quark.foo.net's password:
> Permission denied, please try again.
>
> There is no user5 on the local system. My expectation is that pam_krb5.so
> should use the supplied password to get a TGT thereby authenticating me
> (I'm assuming not having a shell or home directory is not interfering
> with this step).
If the user doesn't exist in /etc/passwd or whatever other source you're
using for account information, then you're never going to be able to log
in. Depending on the PAM module in question, there might not be any
communication with the KDC before that happens.
Now, if this happens with a user that does exist, that's a different issue.
In that case, the interesting messages will be the ones in the log, rather
than what the user gets to see.
> Perhaps my expectations are misguided? What does pam_krb5 do exactly?
There are several PAM modules that call themselves pam_krb5, so a precise
answer to that question is not possible without more information. But, it
does what any PAM module does, which is to handle authentication and make
an authorization decision. In your first example, the authorization
decision fails - you can't log in as user5 because there is no such user.
In the second example, the authentication step fails, because the principal
doesn't exist in the Kerberos database.
-- Jeff
More information about the Kerberos
mailing list