Users occasionally kicked after pam_krb5 login

Edgecombe, Jason jwedgeco at uncc.edu
Wed May 23 11:31:46 EDT 2007 

Try moving the krb5 line for pam to just above the pam_suceed line.


Jason Edgecombe
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
UNC-Charlotte
Phone: (704) 687-3514
 

-----Original Message-----
From: Norman Elton [mailto:normelton at gmail.com] 
Sent: Wednesday, May 23, 2007 11:08 AM
To: Edgecombe, Jason
Subject: Re: Users occasionally kicked after pam_krb5 login

Jason,

Thanks for the response. I've attached my krb5.conf and system-auth
files below. I've changed the server names to protect the innocent.

Also, I've noticed that this only applies to local console logins. SSH
works as expected. 

Thanks for any advice!

Norman

======== krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults] 
 default_realm = MY.KRB.REALM.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
  EXAMPLE.COM <http://EXAMPLE.COM>  = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com <http://example.com> 
 }

 MY.KRB.REALM.COM = {
  kdc = 111.222.333.444
  admin_server = 111.222.333.444
 }

[domain_realm]
 .example.com = EXAMPLE.COM <http://EXAMPLE.COM> 
 example.com = EXAMPLE.COM

 my.krb.realm.com = MY.KRB.REALM.COM 
 .my.krb.realm.com = MY.KRB.REALM.COM
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

======== system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run. 
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass 
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so 
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_krb5.so use_authtok 
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid 
session     required      pam_unix.so
session     optional      pam_krb5.so



On 5/23/07, Edgecombe, Jason < jwedgeco at uncc.edu
<mailto:jwedgeco at uncc.edu> > wrote:

	Please post your /etc/krb5.conf file and
/etc/pam.d/system-auth-ac file. 
	
	
	
	Jason Edgecombe
	Solaris & Linux Administrator
	Mosaic Computing Group, College of Engineering
	UNC-Charlotte
	Phone: (704) 687-3514

More information about the Kerberos mailing list