disabling krb524d attempts - causes login hangs

Fletcher Cocquyt fcocquyt at stanford.edu
Fri Dec 19 09:41:54 EST 2008


Hi, a recent campus firewall change has caused user's kerberos logins to hang on
this system.  The problem has been isolated to a krb524 attempt (which used to
swiftly fail - but now tries for 60-90 seconds before failing).

How can we explicitly disable the krb524 communication attempt (campus does not
run that service)

Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: flag: no external
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: flag: warn
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: ticket lifetime: 0
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: renewable lifetime: 0
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: minimum uid: 100
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: banner: Kerberos 5
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: ccache dir: /tmp
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: keytab: FILE:/etc
/krb5.keytab
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: called to authenticate
'fcocquyt', realm 'stanford.edu'
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: authenticating
'fcocquyt at stanford.edu'
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: trying 
previously-entered
password for 'fcocquyt', allowing libkrb5 to prompt for more
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: authenticating
'fcocquyt at stanford.edu' to 'krbtgt/stanford.edu at stanford.edu'
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]:
krb5_get_init_creds_password(krbtgt/stanford.edu at stanford.edu) returned 0 
(Success)
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: got result 0 (Success)
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: obtaining v4-compatible
 key
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: obtained des-cbc-crc v5
 creds
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: converting v5 creds to 
v4
creds (etype = 1)
...
...<hang > 60 seconds >
...
...


many thanks






More information about the Kerberos mailing list