Can use kerberized telnet, but cannot use pam_krb5

Ralf Hildebrandt Ralf.Hildebrandt at charite.de
Wed Feb 1 07:04:34 EST 2006 

I'm at my wits' end.

I'm trying to use a Win2k ADS/Kerberos Infrastructure with Debian
GNU/Linux clients.

What I can do on the host:

----------- snip ----------
# kinit -V hildeb
Password for hildeb at CHARITE.DE:
Authenticated to Kerberos v5

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hildeb at CHARITE.DE

Valid starting     Expires            Service principal
02/01/06 12:58:23  02/01/06 22:58:25  krbtgt/CHARITE.DE at CHARITE.DE
        renew until 02/02/06 12:58:23
	
	
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
----------- snip ----------

I can also use the kerberized telnetd (/usr/bin/telnet.krb5 from the
krb5-clients package) and log into that host successfully (with the
username & password that the win2k provides).

What I can't do: I'm trying to use 
libpam-krb5              1.2.0-1PAM module for MIT Kerberos

as PAM modules for OpenVPN:


----------- snip ----------
# PAM configuration for OpenVPN
auth                sufficient          pam_krb5.so debug ignore_root
account             required            pam_krb5.so debug ignore_root
----------- snip ----------

any login attempt from openvpn results in:

Jan 31 20:54:05 vpn-gw-int openvpn[3005]: (pam_krb5): none: pam_sm_authenticate: entry
Jan 31 20:54:05 vpn-gw-int openvpn[3005]: pam_krb5: openvpn-krb5
Jan 31 20:54:05 vpn-gw-int openvpn[3005]: pam_krb5: verify_krb_v5_tgt(): krb5_kt_read_service_key(): Key table entry not found
Jan 31 20:54:05 vpn-gw-int openvpn[3005]: (pam_krb5): hildeb: pam_sm_authenticate: exit (success)
Jan 31 20:54:05 vpn-gw-int openvpn[3005]: (pam_krb5): none: pam_sm_acct_mgmt: entry

and openvpn crashes afterwards...

Questions:
==========

What does "verify_krb_v5_tgt(): krb5_kt_read_service_key(): Key table entry not found" mean?
I probably need to get rid of that error in order to get things flying.

My /etc/krb5.conf is attached.

-- 
Ralf Hildebrandt (i.A. des IT-Zentrums)         Ralf.Hildebrandt at charite.de
Charite - Universitätsmedizin Berlin            Tel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-962
IT-Zentrum Standort CBF                 send no mail to spamtrap at charite.de
-------------- next part --------------
[libdefaults]
  default_realm = CHARITE.DE
# das ist wirklich der Domainenname. Witzigerweise scheinen andere Institutionen immer
# DNS-Domaine == Win2k-Domaine zu machen. Bei uns ist das anders :(
# GROSSSCHREIBUNG ist wichtig!!

  clockskew = 300
  default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
  default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
#  dns_lookup_kdc = true

[realms]
  CHARITE.DE = {
#    kdc = DC-CHARITE-1.CHARITE.DE
#    kdc = dc-charite-2.charite.de
#    kdc = dc-charite-3.charite.de
    kdc = dc-charite-4.charite.de
    default_domain = CHARITE.DE
    kpasswd_server = DC-CHARITE-1.CHARITE.DE
  }

[domain_realm]
   .charite.de = CHARITE.DE

[logging]
  default = FILE:/var/log/krb5lib.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmin.log
	    
[appdefaults]
  pam = {
    ticket_lifetime = 1d
    renew_lifetime = 1d
    forwardable = true
    proxiable = false
    retain_after_close = false
    minimum_uid = 0
    debug = true
  }

More information about the Kerberos mailing list