Can use kerberized telnet, but cannot use pam_krb5

Russ Allbery rra at stanford.edu
Wed Feb 1 14:41:40 EST 2006


Ralf Hildebrandt <Ralf.Hildebrandt at charite.de> writes:

> I can also use the kerberized telnetd (/usr/bin/telnet.krb5 from the
> krb5-clients package) and log into that host successfully (with the
> username & password that the win2k provides).

> What I can't do: I'm trying to use 
> libpam-krb5              1.2.0-1PAM module for MIT Kerberos

> as PAM modules for OpenVPN:

That looks like a Debian version number.  If so, please try 1.2.0-2; I
fixed a bunch of issues in that release that were in 1.2.0-1.

If that still doesn't help, make sure that any .k5login file in the user's
home directory is readable by the process doing the authentication.  This
is a required step in Kerberos authentication; without that sort of
verification, one is making the blind assumption that the Kerberos
principal matches the account name.  However, if that was the problem, it
should have failed earlier, so I don't think that's really the problem.

The verification step is probably a red herring; it will always fail if
the authentication isn't being done as root, since it can't read the
keytab file.  I still need to take a closer look at it and see if I can at
least improve the logging.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list