Kerberos not allowing the network password for some users - HP UX

This is a discussion on Kerberos not allowing the network password for some users - HP UX ; Production server rp7410 hp11v2, Test server rp5450 hp11v2 both have Dec '07 Quality Pack installed. Both up to date on patches. Network is a Windows Active Directory (AD). The Test server is a clone of the Production server, and I've ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Kerberos not allowing the network password for some users

  1. Kerberos not allowing the network password for some users

    Production server rp7410 hp11v2, Test server rp5450 hp11v2 both have
    Dec '07 Quality Pack installed. Both up to date on patches. Network
    is a Windows Active Directory (AD).

    The Test server is a clone of the Production server, and I've been
    working with HP support on a couple of sambaclient problems. We have
    been using the Test server to try solutions and when we are confident
    the changes/patches works on the Test sever I do the same changes on
    the Production server.

    Before I started to make any changes on the Production server users
    could use either their 'network' or their 'unix' (local) passwords
    when logging in. However somewhere along the way this stopped working
    on the Production server for thoses people that their network and
    local unix passwords are different, it still works on the Test server.

    syslogs does show this, when some with different passwords ties
    network password first:

    Mar 12 14:33:02 leto sshd[12931]: while verifying tgt[Unknown code
    ____ 255]
    Mar 12 14:33:02 leto sshd[12931]: [Authentication failed] Password not
    valid
    Mar 12 14:33:08 leto sshd[12931]: error: PAM: Authentication failed
    for User1 from uaxxxx.graceland.edu
    Mar 12 14:33:11 leto sshd[12931]: [Authentication failed] Password not
    valid
    Mar 12 14:33:11 leto sshd[12931]: Accepted password for User1 from
    10.125.xx.xx port 4891 ssh2
    Mar 12 14:33:11 leto sshd[12931]: Pam Creds are not available


    To the best of my knowledge both servers are configured the same for
    Kerberos and PAM. I have checked /etc/krb5.conf & /etc/pam.krb5 on
    both systems and they are identical. (HP support wanted me to change
    which AD server we point to) Changing the file back has no affect.

    Besides /etc/krb5.conf what other files might I look at so see if
    there is some slight difference between the two servers that Kerberos
    uses?

    John


  2. Re: Kerberos not allowing the network password for some users

    Are your clocks synchronized?

    jda wrote:
    > Production server rp7410 hp11v2, Test server rp5450 hp11v2 both have
    > Dec '07 Quality Pack installed. Both up to date on patches. Network
    > is a Windows Active Directory (AD).
    >
    > The Test server is a clone of the Production server, and I've been
    > working with HP support on a couple of sambaclient problems. We have
    > been using the Test server to try solutions and when we are confident
    > the changes/patches works on the Test sever I do the same changes on
    > the Production server.
    >
    > Before I started to make any changes on the Production server users
    > could use either their 'network' or their 'unix' (local) passwords
    > when logging in. However somewhere along the way this stopped working
    > on the Production server for thoses people that their network and
    > local unix passwords are different, it still works on the Test server.
    >
    > syslogs does show this, when some with different passwords ties
    > network password first:
    >
    > Mar 12 14:33:02 leto sshd[12931]: while verifying tgt[Unknown code
    > ____ 255]
    > Mar 12 14:33:02 leto sshd[12931]: [Authentication failed] Password not
    > valid
    > Mar 12 14:33:08 leto sshd[12931]: error: PAM: Authentication failed
    > for User1 from uaxxxx.graceland.edu
    > Mar 12 14:33:11 leto sshd[12931]: [Authentication failed] Password not
    > valid
    > Mar 12 14:33:11 leto sshd[12931]: Accepted password for User1 from
    > 10.125.xx.xx port 4891 ssh2
    > Mar 12 14:33:11 leto sshd[12931]: Pam Creds are not available
    >
    >
    > To the best of my knowledge both servers are configured the same for
    > Kerberos and PAM. I have checked /etc/krb5.conf & /etc/pam.krb5 on
    > both systems and they are identical. (HP support wanted me to change
    > which AD server we point to) Changing the file back has no affect.
    >
    > Besides /etc/krb5.conf what other files might I look at so see if
    > there is some slight difference between the two servers that Kerberos
    > uses?
    >
    > John
    >


  3. Re: Kerberos not allowing the network password for some users

    On Mar 12, 2:59*pm, Tom Smith wrote:
    > Are your clocks synchronized?
    >


    Yes, well within a second or two . The two HPUX servers seem to be
    dead on and the windows server 1-2 seconds faster.

    John


+ Reply to Thread