Problem with kreberos auth to linux machine (user/pass from AD)

George george.m at wp.pl
Tue Aug 14 12:29:27 EDT 2012 

What is interesting..

What I done:
Remove the /etc/krb5.keytab file
Stop the ntp server on Linux box
Manually adjust the date from windows machine (ntpdate 192.168.144.143) and
start the ntp server again.

And try to log-in:

Now I see the following logs:

Aug 14 19:16:19 ubu03 sshd[1681]: pam_krb5(sshd:auth): pam_sm_authenticate:
entry (nonull)
Aug 14 19:16:19 ubu03 sshd[1681]: pam_krb5(sshd:auth): (user testuser)
attempting authentication as testuser at LINUX.DOMAIN
Aug 14 19:16:22 ubu03 sshd[1681]: pam_krb5(sshd:auth): user testuser
authenticated as testuser at LINUX.DOMAIN
Aug 14 19:16:22 ubu03 sshd[1681]: pam_krb5(sshd:auth): pam_sm_authenticate:
exit (success)
Aug 14 19:16:22 ubu03 sshd[1681]: pam_krb5(sshd:account): pam_sm_acct_mgmt:
entry
Aug 14 19:16:22 ubu03 sshd[1681]: pam_krb5(sshd:account): (user testuser)
retrieving principal from cache
Aug 14 19:16:22 ubu03 sshd[1681]: pam_krb5(sshd:account): pam_sm_acct_mgmt:
exit (success)
Aug 14 19:16:22 ubu03 sshd[1679]: Accepted keyboard-interactive/pam for
testuser from 192.168.147.102 port 31194 ssh2
Aug 14 19:16:22 ubu03 nslcd[999]: [200854] <group/member="testuser">
ldap_result() failed: No such object
Aug 14 19:16:22 ubu03 sshd[1679]: pam_krb5(sshd:setcred): pam_sm_setcred:
entry (establish)
Aug 14 19:16:22 ubu03 sshd[1679]: pam_krb5(sshd:setcred): no context found,
creating one
Aug 14 19:16:22 ubu03 sshd[1679]: pam_krb5(sshd:setcred): (user testuser)
found initial ticket cache at /var/tmp/krb5cc_pam_4Kw0LB
Aug 14 19:16:22 ubu03 sshd[1679]: pam_krb5(sshd:setcred): (user testuser)
initializing ticket cache /var/tmp/krb5cc_10001_wyCVAA
Aug 14 19:16:22 ubu03 sshd[1679]: pam_krb5(sshd:setcred): pam_sm_setcred:
exit (success)
Aug 14 19:16:22 ubu03 nslcd[999]: [b127f8] <group=10000> ldap_result()
failed: No such object
Aug 14 19:16:22 ubu03 sshd[1679]: pam_krb5(sshd:session):
pam_sm_open_session: entry
Aug 14 19:16:22 ubu03 sshd[1679]: pam_krb5(sshd:session):
pam_sm_open_session: exit (success)
Aug 14 19:16:22 ubu03 sshd[1679]: pam_unix(sshd:session): session opened for
user testuser by (uid=0)
Aug 14 19:16:22 ubu03 sshd[1796]: pam_krb5(sshd:setcred): pam_sm_setcred:
entry (establish)
Aug 14 19:16:22 ubu03 sshd[1796]: pam_krb5(sshd:setcred): pam_sm_setcred:
exit (success)
Aug 14 19:16:23 ubu03 sshd[1679]: pam_krb5(sshd:session):
pam_sm_close_session: entry (silent)
Aug 14 19:16:23 ubu03 sshd[1679]: pam_krb5(sshd:session):
pam_sm_close_session: exit (success)
Aug 14 19:16:23 ubu03 sshd[1679]: pam_unix(sshd:session): session closed for
user testuser
Aug 14 19:16:24 ubu03 sshd[1679]: pam_krb5(sshd:setcred): pam_sm_setcred:
entry (delete)
Aug 14 19:16:24 ubu03 sshd[1679]: pam_krb5(sshd:setcred): pam_sm_setcred:
exit (success)


So it looks that the user is correctly authenticated.. Right?

testuser at ubu03:~$ mkdir xx
testuser at ubu03:~$ ls -l
total 4
drwxr-xr-x 2 testuser 10000 4096 Aug 14 13:55 xx

So I do not see the group associated with the user (SecureLDAP). Why?

What is interesting too, is that I have also errors of nslcd deamon:
Aug 14 19:12:56 ubu03 nslcd[999]: [45e146] <passwd="testuser">
ldap_search_ext() failed: Can't contact LDAP server
Aug 14 19:12:56 ubu03 nslcd[999]: [45e146] <passwd="testuser"> no available
LDAP server found, sleeping 1 seconds
Aug 14 19:16:22 ubu03 nslcd[999]: [200854] <group/member="testuser">
ldap_result() failed: No such object
Aug 14 19:16:22 ubu03 nslcd[999]: [b127f8] <group=10000> ldap_result()
failed: No such object
Aug 14 19:17:01 ubu03 nslcd[999]: [90cde7] <group/member="root">
ldap_result() failed: No such object

More information about the Kerberos mailing list