root login via Kerberos5 - "User not known to the underlying authentication module" - why?

Wendy Lin wendlin1974 at gmail.com
Sat Mar 29 09:01:07 EDT 2014


On 27 March 2014 18:12, Wendy Lin <wendlin1974 at gmail.com> wrote:
> On 24 March 2014 11:58, Predrag Zecevic [Unix Systems Administrator]
> <Predrag.Zecevic at 2e-systems.com> wrote:
>> On 03/24/14 11:31 AM, Wendy Lin wrote:
>>> I am trying to allow user root (uid=0) to be authenticated via
>>> Kerberos5 at login time, too, but if I do I get a "User not known to
>>> the underlying authentication module" error and login is refused.
>>>
>>> OS is Suse 13.1
>>>
>>> pam config is:
>>> grep -r krb5 /etc/pam.d/
>>> /etc/pam.d/common-password-pc:password  sufficient      pam_krb5.so
>>> /etc/pam.d/common-account-pc:account    required        pam_krb5.so
>>>   use_first_pass
>>> /etc/pam.d/common-auth-pc:auth  sufficient      pam_krb5.so     use_first_pass
>>> /etc/pam.d/common-session-pc:session    optional        pam_krb5.so
>>>
>>> What am I doing wrong?
>>>
>>> Wendy
>> Hi,
>>
>> * does other users have similar problem?
>>     (user root is 'defined' on each system before staring to use Kerberos, so try to find other account similar to root and try to
>> use it)...
>
> There is a root@<PRINCIPAL>
>
>> * does you Kerberos have LDAP as backend DB?
>>     If yes (like I would expect), then probably user root is no defined, so you can add (to pam configuration) something like:
>> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
>
> No, we use the built in database backend in this case.

I turned on pam_krb5 debugging and received this in /var/log/messages:

pam_krb5[3808]: user 'root' was not authenticated by pam_krb5,
returning "User not known to the underlying authentication module"

What does this mean? I clearly have a root principal for EXAMPLE.COM:
$ klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 root/admin at EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 root/admin at EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 root/admin at EXAMPLE.COM (des3-cbc-sha1)
   2 root/admin at EXAMPLE.COM (arcfour-hmac)
  11 root at EXAMPLE.COM (aes256-cts-hmac-sha1-96)
  11 root at EXAMPLE.COM (aes128-cts-hmac-sha1-96)
  11 root at EXAMPLE.COM (des3-cbc-sha1)
  11 root at EXAMPLE.COM (arcfour-hmac)
   2 host/example.com at EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 host/example.com at EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 host/example.com at EXAMPLE.COM (des3-cbc-sha1)
   2 host/example.com at EXAMPLE.COM (arcfour-hmac)
   2 nfs/example.com at EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 nfs/example.com at EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 nfs/example.com at EXAMPLE.COM (des3-cbc-sha1)
   2 nfs/example.com at EXAMPLE.COM (arcfour-hmac)
   2 test001 at EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 test001 at EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 test001 at EXAMPLE.COM (des3-cbc-sha1)
   2 test001 at EXAMPLE.COM (arcfour-hmac)

$ kadmin -q 'listprincs'
Authenticating as principal root/admin at EXAMPLE.COM with password.
Password for root/admin at EXAMPLE.COM:
K/M at EXAMPLE.COM
host/example.com at EXAMPLE.COM
kadmin/admin at EXAMPLE.COM
kadmin/changepw at EXAMPLE.COM
kadmin/example.com at EXAMPLE.COM
krbtgt/EXAMPLE.COM at EXAMPLE.COM
nfs/example.com at EXAMPLE.COM
root/admin at EXAMPLE.COM
root at EXAMPLE.COM
test001 at EXAMPLE.COM

Wendy

PS: Full log is:
login: pam_krb5[3808]: flag: debug
login: pam_krb5[3808]: flag: don't always_allow_localname
login: pam_krb5[3808]: flag: no ignore_afs
login: pam_krb5[3808]: flag: no null_afs
login: pam_krb5[3808]: flag: cred_session
login: pam_krb5[3808]: flag: no ignore_k5login
login: pam_krb5[3808]: flag: user_check
login: pam_krb5[3808]: will try previously set password first
login: pam_krb5[3808]: will let libkrb5 ask questions
login: pam_krb5[3808]: flag: no use_shmem
login: pam_krb5[3808]: flag: no external
login: pam_krb5[3808]: flag: no multiple_ccaches
login: pam_krb5[3808]: flag: validate
login: pam_krb5[3808]: flag: warn
login: pam_krb5[3808]: minimum uid: 0
login: pam_krb5[3808]: banner: Kerberos 5
login: pam_krb5[3808]: ccache dir: /tmp
login: pam_krb5[3808]: ccname template: DIR:/run/user/%U/krb5cc_XXXXXX
login: pam_krb5[3808]: keytab: FILE:/etc/krb5.keytab
login: pam_krb5[3808]: token strategy: 2b,rxk5
login: pam_krb5[3808]: pam_acct_mgmt called for 'root', realm 'EXAMPLE.COM'
login: pam_krb5[3808]: user 'root' was not authenticated by pam_krb5,
returning "User not known to the underlying authentication module"


More information about the Kerberos mailing list