root login via Kerberos5 - "User not known to the underlying authentication module" - why?

Nalin Dahyabhai nalin at redhat.com
Mon Mar 31 16:44:54 EDT 2014 

On Sat, Mar 29, 2014 at 02:01:07PM +0100, Wendy Lin wrote:
> On 27 March 2014 18:12, Wendy Lin <wendlin1974 at gmail.com> wrote:
> > On 24 March 2014 11:58, Predrag Zecevic [Unix Systems Administrator]
> > <Predrag.Zecevic at 2e-systems.com> wrote:
> >> On 03/24/14 11:31 AM, Wendy Lin wrote:
> >>> I am trying to allow user root (uid=0) to be authenticated via
> >>> Kerberos5 at login time, too, but if I do I get a "User not known to
> >>> the underlying authentication module" error and login is refused.
> >>>
> >>> OS is Suse 13.1
> >>>
> >>> pam config is:
> >>> grep -r krb5 /etc/pam.d/
> >>> /etc/pam.d/common-password-pc:password  sufficient      pam_krb5.so
> >>> /etc/pam.d/common-account-pc:account    required        pam_krb5.so
> >>>   use_first_pass
> >>> /etc/pam.d/common-auth-pc:auth  sufficient      pam_krb5.so     use_first_pass
> >>> /etc/pam.d/common-session-pc:session    optional        pam_krb5.so
> >>>
> >>> What am I doing wrong?
> >>>
> >>> Wendy
> >> Hi,
> >>
> >> * does other users have similar problem?
> >>     (user root is 'defined' on each system before staring to use Kerberos, so try to find other account similar to root and try to
> >> use it)...
> >
> > There is a root@<PRINCIPAL>
> >
> >> * does you Kerberos have LDAP as backend DB?
> >>     If yes (like I would expect), then probably user root is no defined, so you can add (to pam configuration) something like:
> >> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> >
> > No, we use the built in database backend in this case.
> 
> I turned on pam_krb5 debugging and received this in /var/log/messages:
> 
> pam_krb5[3808]: user 'root' was not authenticated by pam_krb5,
> returning "User not known to the underlying authentication module"
[snip]
> PS: Full log is:
> login: pam_krb5[3808]: flag: debug
> login: pam_krb5[3808]: flag: don't always_allow_localname
> login: pam_krb5[3808]: flag: no ignore_afs
> login: pam_krb5[3808]: flag: no null_afs
> login: pam_krb5[3808]: flag: cred_session
> login: pam_krb5[3808]: flag: no ignore_k5login
> login: pam_krb5[3808]: flag: user_check
> login: pam_krb5[3808]: will try previously set password first
> login: pam_krb5[3808]: will let libkrb5 ask questions
> login: pam_krb5[3808]: flag: no use_shmem
> login: pam_krb5[3808]: flag: no external
> login: pam_krb5[3808]: flag: no multiple_ccaches
> login: pam_krb5[3808]: flag: validate
> login: pam_krb5[3808]: flag: warn
> login: pam_krb5[3808]: minimum uid: 0
> login: pam_krb5[3808]: banner: Kerberos 5
> login: pam_krb5[3808]: ccache dir: /tmp
> login: pam_krb5[3808]: ccname template: DIR:/run/user/%U/krb5cc_XXXXXX
> login: pam_krb5[3808]: keytab: FILE:/etc/krb5.keytab
> login: pam_krb5[3808]: token strategy: 2b,rxk5
> login: pam_krb5[3808]: pam_acct_mgmt called for 'root', realm 'EXAMPLE.COM'
> login: pam_krb5[3808]: user 'root' was not authenticated by pam_krb5,
> returning "User not known to the underlying authentication module"

Your configuration file turns on the debug option all the time, so the
lack of anything being logged during the authentication phase, which
precedes the account management phase we see here, suggests that another
plugin signalled that authentication completed successfully.

The module gets called to check for password expiration during the
account management phase, and it's returning a user-unknown code because
it didn't try to check the user's password in the first place.

Replacing the "account required pam_krb5.so" with the more complicated
"account [default=bad success=ok user_unknown=ignore] pam_krb5.so" which
I think Predrag Zecevic suggested should instruct the PAM library to not
treat that as a fatal error.

HTH,

Nalin

More information about the Kerberos mailing list