Users occasionally kicked after pam_krb5 login
normelton at gmail.com
Thu May 24 12:12:55 EDT 2007
I've recreated the entire setup on virtual machines. A fresh KDC and
a fresh client, both running RedHat 5. The problem persists. As part
of my .bashrc file, I'm logging the output of "klist", and have
discovered that in the cases that the user is getting immediately
kicked off the system, there are no tickets listed. When a ticket is
present, the user's session behaves normally. There is likewise no /
tmp/krb5cc_xxx key cache.
My /var/log/messages log looks the same whether the user gets a
ticket or not:
May 24 12:10:24 client login: pam_unix(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
May 24 12:10:24 client login: pam_krb5: authentication succeeds
for 'testuser' (testuser at KRBDOMAIN)
May 24 12:10:24 client login: pam_unix(login:session): session opened
for user testuser by LOGIN(uid=0)
May 24 12:10:24 client login: pam_selinux(login:session): Warning!
Could not get new context for /dev/tty1, not relabeling: Invalid
May 24 12:10:24 client login: pam_selinux(login:session): usercon=
May 24 12:10:24 client login: LOGIN ON tty1 BY testuser
I've noticed the strange looking selinux message before, but cannot
find a cause for it. I'm running selinux in permissive mode, so I
don't think this is the culprit.
I've also turned on PAM debugging, and nothing suspicious here
either. The output from a "bad" session matches line-for-line the
output of a "good" session followed by a manual logout.
Thanks again for your help. Any thoughts?
On May 23, 2007, at 3:50 PM, Edgecombe, Jason wrote:
> What does /var/log/messages say?
> Jason Edgecombe
> Solaris & Linux Administrator
> Mosaic Computing Group, College of Engineering
> Phone: (704) 687-3514
More information about the Kerberos