Logging in with kerberos fails, but acquiring a ticket with kinit does not

[Thomas Schweikle]

Hi!

I've set up Ubuntu to auth against a kerberos server. The client is
equiped with:
krb5-config
krb5-user
libgssapi-krb5-2
libkrb5-3
libkrb5support0
libpam-krb5

/etc/krb5.config holds:
[libdefaults]
        default_realm = EXAMPLE.COM
        #dns_lookup_kdc = true
        #dns_lookup_realm = true

    # The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        EXAMPLE.COM = {
                kdc = srv.example.com
                admin_server = srv.example.com
                default_domain = example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

[login]
        krb4_convert = true
        krb4_get_tickets = false

[logging]
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        default = FILE:/var/log/kerberos/krb5lib.log
        admin_server = FILE:/var/log/kerberos/kadmin.log

PAM (/etc/pam.d/common-auth):
auth    [success=2 default=ignore]
      pam_krb5.so minimum_uid=1000
auth    [success=1 default=ignore]
      pam_unix.so nullok_secure try_first_pass
auth    requisite
      pam_deny.so
auth    required
      pam_permit.so

Now local login:
user at host:~$ su - user
Password:
su: Fehler bei Authentifizierung
user at host:~$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
user at host:~$ kinit user
Password for user at EXAMPLE.COM:
user at host:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user at EXAMPLE.COM

Valid starting     Expires            Service principal
01/26/11 23:30:12  01/27/11 09:30:12  krbtgt/EXAMPLE.COM at EXAMPLE.COM
        renew until 01/27/11 23:30:07

Any idea, whats wrong here?


-- 
Thomas