Linux Login Failure

jiang licht licht_jiang at yahoo.com
Tue Jun 26 12:02:50 EDT 2007 

Kerberos 5 is configured for an OpenSuse machine.
Login always fails for normal users except for 'root'
(/bin/login should be used instead of the version of
kerberized login.krb5 shipped with K5 installation
package. But the following message shows that this
/bin/login is kerberized since it reports kerberos
authentication failure upon linux login.). The
krb5kdc.log looks ok. But there is some error message
in syslog.

[krb5kdc.log]
Jun 26 10:32:03 mymachine krb5kdc[14079](info): AS_REQ
(7 etypes {18 17 16 23 1 3 2}) 192.168.1.101: ISSUE:
authtime 1182871923, etypes {rep=16 tkt=16 ses=16},
tester at MYDOMAIN for krbtgt/MYDOMAIN at MYDOMAIN

[/var/log/messages]
Jun 26 09:59:10 mymachine kdm: :1[14582]:
pam_krb5[14582]: authentication fails for 'tester'
(tester at MYDOMAIN): Authentication failure (Decrypt
integrity check failed)

'tester' is added both as a local user and as a
principal in kerberos. 'tester' can logon w/o problem
before K5 is installed. The problem appears when logon
locally on the machine as 'tester' or other normal
users.

>From the pam_krb5 error message, some googled results
suggest this:

[google]

Cause:

You might have an invalid ticket.
Solution:

Verify both of these conditions:

    *

      Make sure that your credentials are valid.
Destroy your tickets with kdestroy, and create new
tickets with kinit.
    *

      Make sure that the target host has a keytab file
with the correct version of the service key. Use
kadmin to view the key version number of the service
principal (for example, host/FQDN-hostname) in the
Kerberos database. Also, use klist -k on the target
host to make sure that it has the same key version
number.
[/google]

So, from this, I used the following commands to varify
if principals use the same key as 'host' of master
kdc.

After check with the command 'klist -k' it shows:

KVNO Principal
----
--------------------------------------------------------------------------
   3 host/mymachine at MYDOMAIN
   3 host/mymachine at MYDOMAIN

Then, run 'kadmin.local:get_principal host/mymachine
Principal: host/mymachine at MYDOMAIN
Expiration date: [never]
Last password change: Tue Jun 26 09:58:41 CDT 2007
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Tue Jun 26 09:58:41 CDT 2007
(tester/admin at MYDOMAIN)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 3, Triple DES cbc mode with HMAC/sha1, no
salt
Key: vno 3, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]

So, it seems ok(?). The error messages seems to me
that there is some discrepancy between service key of
master kdc and the one used for principal? But to
ensure everything is ok, this is the order:
- create host/mymachine at MYDOMAIN principal
- extract host keytab for above principal to
/etc/krb5.keytab
- add principal for 'tester'

Any thoughts? Thanks


 
____________________________________________________________________________________
Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.
http://autos.yahoo.com/new_cars.html

More information about the Kerberos mailing list