Users occasionally kicked after pam_krb5 login

[Edgecombe, Jason]

What does /var/log/messages say?
 
Jason Edgecombe
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
UNC-Charlotte
Phone: (704) 687-3514
 
 

________________________________

From: Norman Elton [mailto:normelton at gmail.com] 
Sent: Wednesday, May 23, 2007 12:53 PM
To: Edgecombe, Jason
Subject: Re: Users occasionally kicked after pam_krb5 login


Jason,

Thanks for the suggestion. Unfortunately, the client is still getting
kicked.

When I make a local password, things seem fine. But I'm not 100%
convinced this is actually a Kerberos issue. What else would cause a
user to get "kicked" off the system? I've tried to see if anything in
.bash_profile or .bashrc is failing, but they all look good. 

Any other ideas?

Thanks,

Norman


On 5/23/07, Edgecombe, Jason <jwedgeco at uncc.edu> wrote: 

	Try moving the krb5 line for pam to just above the pam_suceed
line.
	
	
	Jason Edgecombe 
	Solaris & Linux Administrator
	Mosaic Computing Group, College of Engineering
	UNC-Charlotte
	Phone: (704) 687-3514
	
	
	-----Original Message-----
	From: Norman Elton [mailto: normelton at gmail.com
<mailto:normelton at gmail.com> ]
	Sent: Wednesday, May 23, 2007 11:08 AM
	To: Edgecombe, Jason
	Subject: Re: Users occasionally kicked after pam_krb5 login
	
	Jason,
	
	Thanks for the response. I've attached my krb5.conf and
system-auth
	files below. I've changed the server names to protect the
innocent.
	
	Also, I've noticed that this only applies to local console
logins. SSH
	works as expected.
	
	Thanks for any advice! 
	
	Norman
	
	======== krb5.conf
	
	[logging]
	default = FILE:/var/log/krb5libs.log
	kdc = FILE:/var/log/krb5kdc.log
	admin_server = FILE:/var/log/kadmind.log
	
	[libdefaults]
	default_realm = MY.KRB.REALM.COM
	dns_lookup_realm = false
	dns_lookup_kdc = false
	ticket_lifetime = 24h
	forwardable = yes
	
	[realms]
	  EXAMPLE.COM <http://EXAMPLE.COM>  = {
	  kdc = kerberos.example.com:88
	  admin_server = kerberos.example.com:749 
	  default_domain = example.com <http://example.com>
	}
	
	MY.KRB.REALM.COM = {
	  kdc = 111.222.333.444 
	  admin_server = 111.222.333.444
	}
	
	[domain_realm]
	.example.com = EXAMPLE.COM <http://EXAMPLE.COM>
	example.com = EXAMPLE.COM
	
	my.krb.realm.com = MY.KRB.REALM.COM
	.my.krb.realm.com = MY.KRB.REALM.COM
	[kdc]
	profile = /var/kerberos/krb5kdc/kdc.conf
	
	[appdefaults]
	pam = {
	   debug = false
	   ticket_lifetime = 36000
	   renew_lifetime = 36000
	   forwardable = true
	   krb4_convert = false 
	}
	
	======== system-auth
	
	#%PAM-1.0
	# This file is auto-generated.
	# User changes will be destroyed the next time authconfig is
run.
	auth        required      pam_env.so
	auth        sufficient    pam_unix.so nullok try_first_pass 
	auth        requisite     pam_succeed_if.so uid >= 500 quiet
	auth        sufficient    pam_krb5.so use_first_pass
	auth        required      pam_deny.so
	
	account     required      pam_unix.so broken_shadow 
	account     sufficient    pam_succeed_if.so uid < 500 quiet
	account     [default=bad success=ok user_unknown=ignore]
pam_krb5.so
	account     required      pam_permit.so
	
	password    requisite     pam_cracklib.so try_first_pass retry=3

	password    sufficient    pam_unix.so md5 shadow nullok
try_first_pass
	use_authtok
	password    sufficient    pam_krb5.so use_authtok
	password    required      pam_deny.so
	
	session     optional      pam_keyinit.so revoke 
	session     required      pam_limits.so
	session     [success=1 default=ignore] pam_succeed_if.so service
in
	crond quiet use_uid
	session     required      pam_unix.so
	session     optional      pam_krb5.so
	
	
	
	On 5/23/07, Edgecombe, Jason < jwedgeco at uncc.edu
	<mailto:jwedgeco at uncc.edu> > wrote:
	
	        Please post your /etc/krb5.conf file and 
	/etc/pam.d/system-auth-ac file.
	
	
	
	        Jason Edgecombe
	        Solaris & Linux Administrator
	        Mosaic Computing Group, College of Engineering
	        UNC-Charlotte
	        Phone: (704) 687-3514