Logging in with kerberos fails, but acquiring a ticket with kinit does not

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Logging in with kerberos fails, but acquiring a ticket with kinit does not

tps (Bugzilla)
Hi!

I've set up Ubuntu to auth against a kerberos server. The client is
equiped with:
krb5-config
krb5-user
libgssapi-krb5-2
libkrb5-3
libkrb5support0
libpam-krb5

/etc/krb5.config holds:
[libdefaults]
        default_realm = EXAMPLE.COM
        #dns_lookup_kdc = true
        #dns_lookup_realm = true

    # The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        EXAMPLE.COM = {
                kdc = srv.example.com
                admin_server = srv.example.com
                default_domain = example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

[login]
        krb4_convert = true
        krb4_get_tickets = false

[logging]
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        default = FILE:/var/log/kerberos/krb5lib.log
        admin_server = FILE:/var/log/kerberos/kadmin.log

PAM (/etc/pam.d/common-auth):
auth    [success=2 default=ignore]
      pam_krb5.so minimum_uid=1000
auth    [success=1 default=ignore]
      pam_unix.so nullok_secure try_first_pass
auth    requisite
      pam_deny.so
auth    required
      pam_permit.so

Now local login:
user@host:~$ su - user
Password:
su: Fehler bei Authentifizierung
user@host:~$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
user@host:~$ kinit user
Password for [hidden email]:
user@host:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [hidden email]

Valid starting     Expires            Service principal
01/26/11 23:30:12  01/27/11 09:30:12  krbtgt/[hidden email]
        renew until 01/27/11 23:30:07

Any idea, whats wrong here?


--
Thomas
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Logging in with kerberos fails, but acquiring a ticket with kinit does not

Jean-Yves Avenard-2
Hi

On 27 January 2011 09:38, Thomas Schweikle <[hidden email]> wrote:

I don't see what your problem is here.
> Now local login:
> user@host:~$ su - user
> Password:
> su: Fehler bei Authentifizierung

you don't have a kerberos ticket here ; so what did you expect differently?

Also, does you /etc/pam.d contain an entry for SU ? is it configured
to use kerberos ?

> user@host:~$ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
> user@host:~$ kinit user
> Password for [hidden email]:
> user@host:~$ klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: [hidden email]
>
> Valid starting     Expires            Service principal
> 01/26/11 23:30:12  01/27/11 09:30:12  krbtgt/[hidden email]
>        renew until 01/27/11 23:30:07
>
> Any idea, whats wrong here?

what do you think is wrong ?
how are you trying to "logging" ? via su? via ssh? other methods ?

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos