root login via Kerberos5 - "User not known to the underlying authentication module" - why?

Tue Apr 1 04:24:43 EDT 2014

On 31 March 2014 22:44, Nalin Dahyabhai <nalin at redhat.com> wrote:
> On Sat, Mar 29, 2014 at 02:01:07PM +0100, Wendy Lin wrote:
>> On 27 March 2014 18:12, Wendy Lin <wendlin1974 at gmail.com> wrote:
>> > On 24 March 2014 11:58, Predrag Zecevic [Unix Systems Administrator]
>> > <Predrag.Zecevic at 2e-systems.com> wrote:
>> >> On 03/24/14 11:31 AM, Wendy Lin wrote:
>> >>> I am trying to allow user root (uid=0) to be authenticated via
>> >>> Kerberos5 at login time, too, but if I do I get a "User not known to
>> >>> the underlying authentication module" error and login is refused.
>> >>>
>> >>> OS is Suse 13.1
>> >>>
>> >>> pam config is:
>> >>> grep -r krb5 /etc/pam.d/
>> >>> /etc/pam.d/common-password-pc:password  sufficient      pam_krb5.so
>> >>> /etc/pam.d/common-account-pc:account    required        pam_krb5.so
>> >>>   use_first_pass
>> >>> /etc/pam.d/common-auth-pc:auth  sufficient      pam_krb5.so     use_first_pass
>> >>> /etc/pam.d/common-session-pc:session    optional        pam_krb5.so
>> >>>
>> >>> What am I doing wrong?
>> >>>
>> >>> Wendy
>> >> Hi,
>> >>
>> >> * does other users have similar problem?
>> >>     (user root is 'defined' on each system before staring to use Kerberos, so try to find other account similar to root and try to
>> >> use it)...
>> >
>> > There is a root@<PRINCIPAL>
>> >
>> >> * does you Kerberos have LDAP as backend DB?
>> >>     If yes (like I would expect), then probably user root is no defined, so you can add (to pam configuration) something like:
>> >> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
>> >
>> > No, we use the built in database backend in this case.
>>
>> I turned on pam_krb5 debugging and received this in /var/log/messages:
>>
>> pam_krb5[3808]: user 'root' was not authenticated by pam_krb5,
>> returning "User not known to the underlying authentication module"
> [snip]
>> PS: Full log is:
>> login: pam_krb5[3808]: flag: debug
>> login: pam_krb5[3808]: flag: don't always_allow_localname
>> login: pam_krb5[3808]: flag: no ignore_afs
>> login: pam_krb5[3808]: flag: no null_afs
>> login: pam_krb5[3808]: flag: cred_session
>> login: pam_krb5[3808]: flag: no ignore_k5login
>> login: pam_krb5[3808]: flag: user_check
>> login: pam_krb5[3808]: will try previously set password first
>> login: pam_krb5[3808]: will let libkrb5 ask questions
>> login: pam_krb5[3808]: flag: no use_shmem
>> login: pam_krb5[3808]: flag: no external
>> login: pam_krb5[3808]: flag: no multiple_ccaches
>> login: pam_krb5[3808]: flag: validate
>> login: pam_krb5[3808]: flag: warn
>> login: pam_krb5[3808]: minimum uid: 0
>> login: pam_krb5[3808]: banner: Kerberos 5
>> login: pam_krb5[3808]: ccache dir: /tmp
>> login: pam_krb5[3808]: ccname template: DIR:/run/user/%U/krb5cc_XXXXXX
>> login: pam_krb5[3808]: keytab: FILE:/etc/krb5.keytab
>> login: pam_krb5[3808]: token strategy: 2b,rxk5
>> login: pam_krb5[3808]: pam_acct_mgmt called for 'root', realm 'EXAMPLE.COM'
>> login: pam_krb5[3808]: user 'root' was not authenticated by pam_krb5,
>> returning "User not known to the underlying authentication module"
>
> Your configuration file turns on the debug option all the time, so the
> lack of anything being logged during the authentication phase, which
> precedes the account management phase we see here, suggests that another
> plugin signalled that authentication completed successfully.
>
> The module gets called to check for password expiration during the
> account management phase, and it's returning a user-unknown code because
> it didn't try to check the user's password in the first place.
>
> Replacing the "account required pam_krb5.so" with the more complicated
> "account [default=bad success=ok user_unknown=ignore] pam_krb5.so" which
> I think Predrag Zecevic suggested should instruct the PAM library to not
> treat that as a fatal error.

Ah, but I *want* that pam_krb5 authenticates the user against Kerberos
so they do not have to do a kinit themselves after login, each time.

Wendy