problem with pam_krb5 4.2-1

Rohit Kumar Mehta rohitm at engr.uconn.edu
Thu May 13 16:26:10 EDT 2010


Hi guys, in upgrading some Ubuntu systems from Karmic (libpam-krb5 
3.15-1) to Lucid (libpam-krb5 4.2-1) I discovered a problem.

SSH authentication would fail with pam_krb5 the error:
"credential verification failed: KDC has no support for encryption type"

However kinit username at REALM worked fine, as did kerberized NFS mounts.  
I found that if I removed my krb5.keytab things ssh authentication also 
worked.  After reading the docs I was able to get login working and keep 
my krb5.keytab by adding a "keytab=/foo" option to the line in my 
/etc/pam.d/common-auth that called pam_krb5.so.  Is there a downside to 
doing this?

I'm also wondering why my krb5.keytab is not accepted by pam_krb5.  
Could it be because I am authenticating in the realm=AD.ENGR.UCONN.EDU 
and the principals in the keytab are in the realm=ENGR.UCONN.EDU?

Thanks for any assistance!

Rohit

-- 
Rohit Mehta
Computer Engineer
University of Connecticut
Engineering Computing Services
371 Fairfield Road Unit 2031
Storrs, CT 06269-2031

Office: (860) 486 - 2331
Fax: (860) 486 - 1273





More information about the Kerberos mailing list