Problem with kreberos auth to linux machine (user/pass from AD)

George george.m at wp.pl
Mon Aug 13 20:10:28 EDT 2012 

Welcome!

As I wrote in subject, problem is with logging to the linux machine, 
with kerberos authorization..

This is my first time when I am configuring kerberos.. so please be 
forgiving ;)


The basics: What I done:


On Windows (win server 2008R2 – computer name: active, full name: 
active.linux.domain)
-          Installed Active Directory, Microsoft Identity for UNIX and 
DNS server)
-          create forest linux.domain
-          add linux box record (ubuntu.linux.domain) to windows DNS
-          Create SRV record for windows machine (active.linux.domain)
-          Add user (ldapquery) to made authorization for linux boxes 
and create credentials for it.
-          create regular user testuser, with the unix attributes (uid, 
group, home dir etc..)
-          create grup for this user


On Linux box (ubuntu.linux.domain)
-          install packages : krb5-* libkrb-*
-          download and compile nss-pam-ldapd-0.8.10.tar.gz
-          install and configure nslcd deamon
  - 	   installed and configured NTP server, to get current time from 
Windows machine


What is important:
-	   ldapsearch gives the results perfectly
-	   getent passwd - also shows remote AD users
-	   when I am logging to the machine, it let me in correctly (but 
without kerberos auth)



Now, when I try to log-in to the server using the credentials from AD, I 
get the following logs:


Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth): 
pam_sm_authenticate: entry (nonull)
Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth): (user 
testuser) attempting authentication as testuser at LINUX.DOMAIN
Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth): (user 
testuser) krb5_get_init_creds_password: Clock skew too great
Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth): 
authentication failure; logname=testuser uid=0 euid=0 tty=ssh ruser= 
rhost=192.168.2.159
Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth): 
pam_sm_authenticate: exit (failure)
Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=192.168.2.159  user=testuser
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:account): 
pam_sm_acct_mgmt: entry
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:account): skipping 
non-Kerberos login
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:account): 
pam_sm_acct_mgmt: exit (ignore)
Aug 14 01:58:16 ubuntu32 sshd[15831]: Accepted password for testuser 
from 192.168.2.159 port 51594 ssh2
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred): 
pam_sm_setcred: entry (establish)
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred): no context 
found, creating one
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred): (user 
testuser) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred): 
pam_sm_setcred: exit (success)
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:session): 
pam_sm_open_session: entry
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:session): no context 
found, creating one
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:session): (user 
testuser) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:session): 
pam_sm_open_session: exit (ignore)
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_unix(sshd:session): session 
opened for user testuser by (uid=0)
Aug 14 01:58:16 ubuntu32 sshd[15947]: pam_krb5(sshd:setcred): 
pam_sm_setcred: entry (establish)
Aug 14 01:58:16 ubuntu32 sshd[15947]: pam_krb5(sshd:setcred): no context 
found, creating one
Aug 14 01:58:16 ubuntu32 sshd[15947]: pam_krb5(sshd:setcred): (user 
testuser) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Aug 14 01:58:16 ubuntu32 sshd[15947]: pam_krb5(sshd:setcred): 
pam_sm_setcred: exit (success)
Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_krb5(sshd:session): 
pam_sm_close_session: entry (silent)
Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_krb5(sshd:session): 
pam_sm_close_session: exit (success)
Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_unix(sshd:session): session 
closed for user testuser
Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred): 
pam_sm_setcred: entry (delete)
Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred): 
pam_sm_setcred: exit (success)


My athorization goes well, but as we see in logs, kerberos isn't used ;/ 
What could it be? I will be glad for any hints, suggestions, or 
solutions.. How to test it deeper, what to correct, check?

Regards!










-- 
Best Regards
George

More information about the Kerberos mailing list