Linux Login Failure

jiang licht licht_jiang at yahoo.com
Tue Jun 26 14:10:12 EDT 2007 

Found the problem. "kerberos client" was enabled in
YaST in OpenSuse. Maybe there is some conflict w/ the
Krb5 version downloaded and installed and there is
some configuration problem as well. Though I've not
figured out detail, clearly, with "kerberos client"
enabled, /bin/login uses pam_krb5 for authentication
and it confused to find wrong keys or something.
Anyway, there is no logon problem anymore after I
disabled "kerberos client" from YaST console.

Hope some guru (OpenSuse?) can post some explanation
for what authentication really works when "kerberos
client" is enabled in YaST console.

Thanks for your attention.


--- jiang licht <licht_jiang at yahoo.com> wrote:

> Kerberos 5 is configured for an OpenSuse machine.
> Login always fails for normal users except for
> 'root'
> (/bin/login should be used instead of the version of
> kerberized login.krb5 shipped with K5 installation
> package. But the following message shows that this
> /bin/login is kerberized since it reports kerberos
> authentication failure upon linux login.). The
> krb5kdc.log looks ok. But there is some error
> message
> in syslog.
> 
> [krb5kdc.log]
> Jun 26 10:32:03 mymachine krb5kdc[14079](info):
> AS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 192.168.1.101: ISSUE:
> authtime 1182871923, etypes {rep=16 tkt=16 ses=16},
> tester at MYDOMAIN for krbtgt/MYDOMAIN at MYDOMAIN
> 
> [/var/log/messages]
> Jun 26 09:59:10 mymachine kdm: :1[14582]:
> pam_krb5[14582]: authentication fails for 'tester'
> (tester at MYDOMAIN): Authentication failure (Decrypt
> integrity check failed)
> 
> 'tester' is added both as a local user and as a
> principal in kerberos. 'tester' can logon w/o
> problem
> before K5 is installed. The problem appears when
> logon
> locally on the machine as 'tester' or other normal
> users.
> 
> >From the pam_krb5 error message, some googled
> results
> suggest this:
> 
> [google]
> 
> Cause:
> 
> You might have an invalid ticket.
> Solution:
> 
> Verify both of these conditions:
> 
>     *
> 
>       Make sure that your credentials are valid.
> Destroy your tickets with kdestroy, and create new
> tickets with kinit.
>     *
> 
>       Make sure that the target host has a keytab
> file
> with the correct version of the service key. Use
> kadmin to view the key version number of the service
> principal (for example, host/FQDN-hostname) in the
> Kerberos database. Also, use klist -k on the target
> host to make sure that it has the same key version
> number.
> [/google]
> 
> So, from this, I used the following commands to
> varify
> if principals use the same key as 'host' of master
> kdc.
> 
> After check with the command 'klist -k' it shows:
> 
> KVNO Principal
> ----
>
--------------------------------------------------------------------------
>    3 host/mymachine at MYDOMAIN
>    3 host/mymachine at MYDOMAIN
> 
> Then, run 'kadmin.local:get_principal host/mymachine
> Principal: host/mymachine at MYDOMAIN
> Expiration date: [never]
> Last password change: Tue Jun 26 09:58:41 CDT 2007
> Password expiration date: [none]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 0 days 00:00:00
> Last modified: Tue Jun 26 09:58:41 CDT 2007
> (tester/admin at MYDOMAIN)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 2
> Key: vno 3, Triple DES cbc mode with HMAC/sha1, no
> salt
> Key: vno 3, DES cbc mode with CRC-32, no salt
> Attributes:
> Policy: [none]
> 
> So, it seems ok(?). The error messages seems to me
> that there is some discrepancy between service key
> of
> master kdc and the one used for principal? But to
> ensure everything is ok, this is the order:
> - create host/mymachine at MYDOMAIN principal
> - extract host keytab for above principal to
> /etc/krb5.keytab
> - add principal for 'tester'
> 
> Any thoughts? Thanks
> 
> 
>  
>
____________________________________________________________________________________
> Don't pick lemons.
> See all the new 2007 cars at Yahoo! Autos.
> http://autos.yahoo.com/new_cars.html 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



 
____________________________________________________________________________________
Expecting? Get great news right away with email Auto-Check. 
Try the Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html

More information about the Kerberos mailing list