Users occasionally kicked after pam_krb5 login

Norman Elton normelton at
Thu May 24 12:12:55 EDT 2007


I've recreated the entire setup on virtual machines. A fresh KDC and  
a fresh client, both running RedHat 5. The problem persists. As part  
of my .bashrc file, I'm logging the output of "klist", and have  
discovered that in the cases that the user is getting immediately  
kicked off the system, there are no tickets listed. When a ticket is  
present, the user's session behaves normally. There is likewise no / 
tmp/krb5cc_xxx key cache.

My /var/log/messages log looks the same whether the user gets a  
ticket or not:

May 24 12:10:24 client login: pam_unix(login:auth): authentication  
failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=   
May 24 12:10:24 client login: pam_krb5[4198]: authentication succeeds  
for 'testuser' (testuser at KRBDOMAIN)
May 24 12:10:24 client login: pam_unix(login:session): session opened  
for user testuser by LOGIN(uid=0)
May 24 12:10:24 client login: pam_selinux(login:session): Warning!   
Could not get new context for /dev/tty1, not relabeling: Invalid  
May 24 12:10:24 client login: pam_selinux(login:session): usercon= 
(null), prev_context=system_u:object_r:tty_device_t
May 24 12:10:24 client login: LOGIN ON tty1 BY testuser

I've noticed the strange looking selinux message before, but cannot  
find a cause for it. I'm running selinux in permissive mode, so I  
don't think this is the culprit.

I've also turned on PAM debugging, and nothing suspicious here  
either. The output from a "bad" session matches line-for-line the  
output of a "good" session followed by a manual logout.

Thanks again for your help. Any thoughts?


On May 23, 2007, at 3:50 PM, Edgecombe, Jason wrote:

> What does /var/log/messages say?
> Jason Edgecombe
> Solaris & Linux Administrator
> Mosaic Computing Group, College of Engineering
> UNC-Charlotte
> Phone: (704) 687-3514

More information about the Kerberos mailing list