pam_krb5 can't locate my KDC

Jeffrey Hutzelman jhutz at
Mon Aug 21 12:20:12 EDT 2006

On Monday, August 21, 2006 12:05:24 PM -0400 Michael B Allen 
<mba2000 at> wrote:

> [miallen at quark src]$ ssh user5 at
> user5 at's password:
> Permission denied, please try again.
> There is no user5 on the local system. My expectation is that
> should use the supplied password to get a TGT thereby authenticating me
> (I'm assuming not having a shell or home directory is not interfering
> with this step).

If the user doesn't exist in /etc/passwd or whatever other source you're 
using for account information, then you're never going to be able to log 
in.  Depending on the PAM module in question, there might not be any 
communication with the KDC before that happens.

Now, if this happens with a user that does exist, that's a different issue. 
In that case, the interesting messages will be the ones in the log, rather 
than what the user gets to see.

> Perhaps my expectations are misguided? What does pam_krb5 do exactly?

There are several PAM modules that call themselves pam_krb5, so a precise 
answer to that question is not possible without more information.  But, it 
does what any PAM module does, which is to handle authentication and make 
an authorization decision.  In your first example, the authorization 
decision fails - you can't log in as user5 because there is no such user. 
In the second example, the authentication step fails, because the principal 
doesn't exist in the Kerberos database.

-- Jeff

More information about the Kerberos mailing list