superfluous pam warnings when authenticating to 2 krb5 realms - Kerberos

This is a discussion on superfluous pam warnings when authenticating to 2 krb5 realms - Kerberos ; Hello, I'm configuring a CentoS 4.3 to authenticate users via krb5 on two separate realms. Login is working fine but I'm seeing some messages from pam that I'd like to get rid of. Realms are DOMAINA.COM containing user testA and ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: superfluous pam warnings when authenticating to 2 krb5 realms

  1. superfluous pam warnings when authenticating to 2 krb5 realms

    Hello,

    I'm configuring a CentoS 4.3 to authenticate users via krb5 on two
    separate realms.
    Login is working fine but I'm seeing some messages from pam that I'd
    like to get rid of.

    Realms are DOMAINA.COM containing user testA and DOMAINB.COM
    containing user testB.
    Both users have been useradded to the CentOS server.

    (Logging in as user testA on realm DOMAINA.COM)
    Nov 13 12:05:26 xxxxx sshd(pam_unix)[30270]: authentication failure;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=testA
    Nov 13 12:05:27 xxxxx sshd[30270]: pam_krb5[30270]: authentication
    succeeds for 'testA' (testA@DOMAINA.COM)
    Nov 13 12:05:27 xxxxx sshd(pam_unix)[30274]: session opened for user
    testA by (uid=0)
    Nov 13 12:05:30 xxxxx sshd(pam_unix)[30274]: session closed for user
    testA

    (logging in as user testB on realm DOMAINB.COM)
    Nov 13 12:05:50 xxxxx sshd(pam_unix)[30308]: authentication failure;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=testB
    Nov 13 12:05:50 xxxxx sshd[30308]: pam_krb5[30308]: authentication
    fails for 'testB' (testB@DOMAINA.COM): User not known to the
    underlying authentication module (Client not found in Kerberos
    database)
    Nov 13 12:05:50 xxxxx sshd[30308]: pam_krb5[30308]: authentication
    succeeds for 'testB' (testB@DOMAINB.COM)
    Nov 13 12:05:50 xxxxx sshd[30308]: pam_krb5[30308]: account checks
    fail for 'testB': user is unknown
    Nov 13 12:05:50 xxxxx sshd(pam_unix)[30313]: session opened for user
    testB by (uid=0)
    Nov 13 12:05:52 xxxxx sshd(pam_unix)[30313]: session closed for user
    testB

    Here are the contents of /etc/pam.d/system-auth. DOMAINA.COM is set up
    as the default realm in /etc/krb5.conf.
    auth required /lib/security/$ISA/pam_env.so
    auth sufficient /lib/security/$ISA/pam_unix.so likeauth
    nullok
    auth [default=bad success=done user_unknown=ignore] /lib/
    security/$ISA/pam_krb5.so use_first_pass minimum_uid=1000
    auth sufficient /lib/security/$ISA/pam_krb5.so
    use_first_pass realm=DOMAINB.COM minimum_uid=1000
    auth required /lib/security/$ISA/pam_deny.so

    account required /lib/security/$ISA/pam_unix.so
    broken_shadow
    account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
    100 quiet
    account [default=bad success=done user_unknown=ignore] /lib/
    security/$ISA/pam_krb5.so minimum_uid=1000
    account sufficient /lib/security/$ISA/pam_krb5.so
    realm=DOMAINB.COM minimum_uid=1000
    account required /lib/security/$ISA/pam_permit.so

    password requisite /lib/security/$ISA/pam_cracklib.so retry=3
    password sufficient /lib/security/$ISA/pam_unix.so nullok
    use_authtok md5 shadow
    password [default=bad success=done user_unknown=ignore] /lib/
    security/$ISA/pam_krb5.so use_authtok minimum_uid=1000
    password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
    realm=DOMAINB.COM minimum_uid=1000
    password required /lib/security/$ISA/pam_deny.so

    session required /lib/security/$ISA/pam_limits.so
    session required /lib/security/$ISA/pam_unix.so
    session optional /lib/security/$ISA/pam_krb5.so

    So in the second case the system tries to authenticate user testB
    first to DOMAINA.COM, then DOMAINB.COM (as configured) and
    authentication in DOMAINA.COM fails because the testB account doesn't
    exist there.
    I'd like to avoid the pam_krb5 "authentication fails" and "account
    checks fail" messages getting logged there if that's possible.

    The pam_unix "authentication fails" messages are probably due to the
    sytem first trying (and failing) to authenticate via the local passwd/
    shadow before using Kerberos.
    Is there any way to avoid this happening while still getting a
    legitimate warning when someone fails to connect using a non-Kerberos
    account?

    Thanks in advance for your replies.


  2. Re: superfluous pam warnings when authenticating to 2 krb5 realms

    sam.bracke@gial.be writes:

    > I'm configuring a CentoS 4.3 to authenticate users via krb5 on two
    > separate realms. Login is working fine but I'm seeing some messages
    > from pam that I'd like to get rid of.


    > Realms are DOMAINA.COM containing user testA and DOMAINB.COM containing
    > user testB. Both users have been useradded to the CentOS server.


    You wouldn't get those additional error messages (or, for that matter, the
    success messages) when using my pam-krb5, for whatever it's worth. It
    looks like the default CentOS pam-krb5 is more verbose.

    --
    Russ Allbery (rra@stanford.edu)

+ Reply to Thread