Problem with kreberos auth to linux machine (user/pass from AD)
George
george.m at wp.pl
Mon Aug 13 20:10:28 EDT 2012
Welcome!
As I wrote in subject, problem is with logging to the linux machine,
with kerberos authorization..
This is my first time when I am configuring kerberos.. so please be
forgiving ;)
The basics: What I done:
On Windows (win server 2008R2 – computer name: active, full name:
active.linux.domain)
- Installed Active Directory, Microsoft Identity for UNIX and
DNS server)
- create forest linux.domain
- add linux box record (ubuntu.linux.domain) to windows DNS
- Create SRV record for windows machine (active.linux.domain)
- Add user (ldapquery) to made authorization for linux boxes
and create credentials for it.
- create regular user testuser, with the unix attributes (uid,
group, home dir etc..)
- create grup for this user
On Linux box (ubuntu.linux.domain)
- install packages : krb5-* libkrb-*
- download and compile nss-pam-ldapd-0.8.10.tar.gz
- install and configure nslcd deamon
- installed and configured NTP server, to get current time from
Windows machine
What is important:
- ldapsearch gives the results perfectly
- getent passwd - also shows remote AD users
- when I am logging to the machine, it let me in correctly (but
without kerberos auth)
Now, when I try to log-in to the server using the credentials from AD, I
get the following logs:
Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth):
pam_sm_authenticate: entry (nonull)
Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth): (user
testuser) attempting authentication as testuser at LINUX.DOMAIN
Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth): (user
testuser) krb5_get_init_creds_password: Clock skew too great
Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth):
authentication failure; logname=testuser uid=0 euid=0 tty=ssh ruser=
rhost=192.168.2.159
Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_krb5(sshd:auth):
pam_sm_authenticate: exit (failure)
Aug 14 01:58:15 ubuntu32 sshd[15831]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.2.159 user=testuser
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:account):
pam_sm_acct_mgmt: entry
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:account): skipping
non-Kerberos login
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:account):
pam_sm_acct_mgmt: exit (ignore)
Aug 14 01:58:16 ubuntu32 sshd[15831]: Accepted password for testuser
from 192.168.2.159 port 51594 ssh2
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred):
pam_sm_setcred: entry (establish)
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred): no context
found, creating one
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred): (user
testuser) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred):
pam_sm_setcred: exit (success)
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:session):
pam_sm_open_session: entry
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:session): no context
found, creating one
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:session): (user
testuser) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_krb5(sshd:session):
pam_sm_open_session: exit (ignore)
Aug 14 01:58:16 ubuntu32 sshd[15831]: pam_unix(sshd:session): session
opened for user testuser by (uid=0)
Aug 14 01:58:16 ubuntu32 sshd[15947]: pam_krb5(sshd:setcred):
pam_sm_setcred: entry (establish)
Aug 14 01:58:16 ubuntu32 sshd[15947]: pam_krb5(sshd:setcred): no context
found, creating one
Aug 14 01:58:16 ubuntu32 sshd[15947]: pam_krb5(sshd:setcred): (user
testuser) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Aug 14 01:58:16 ubuntu32 sshd[15947]: pam_krb5(sshd:setcred):
pam_sm_setcred: exit (success)
Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_krb5(sshd:session):
pam_sm_close_session: entry (silent)
Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_krb5(sshd:session):
pam_sm_close_session: exit (success)
Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_unix(sshd:session): session
closed for user testuser
Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred):
pam_sm_setcred: entry (delete)
Aug 14 01:58:17 ubuntu32 sshd[15831]: pam_krb5(sshd:setcred):
pam_sm_setcred: exit (success)
My athorization goes well, but as we see in logs, kerberos isn't used ;/
What could it be? I will be glad for any hints, suggestions, or
solutions.. How to test it deeper, what to correct, check?
Regards!
--
Best Regards
George
More information about the Kerberos
mailing list