PAM hangs after authenticating against 2003 AD - Kerberos

This is a discussion on PAM hangs after authenticating against 2003 AD - Kerberos ; Hi, I was looking for a PAM group, but couldnt find one, so I hope someone here might have the knowledge. I am trying to log into my linux box, using password from a Win 2003 AD. Everything seems to ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: PAM hangs after authenticating against 2003 AD

  1. PAM hangs after authenticating against 2003 AD

    Hi,

    I was looking for a PAM group, but couldnt find one, so I hope someone
    here might have the knowledge.

    I am trying to log into my linux box, using password from a Win 2003
    AD.
    Everything seems to be talking, but after login,
    everything hangs for 30 seconds and then exits out.


    So if anyone has any idea on adding more debug info, I would appriciate
    it - im kinda stuck...





    This is what happens on the client:
    ------------------------------------------------------
    krbtest:~# login test
    Password:

    ------------------------------------------------------
    (60 seconds passes, then back to command line with timeout from login
    program)



    The log says (Two lines, showing up right after entering password):
    ------------------------------------------------------
    Aug 8 11:50:45 localhost login[13538]: (pam_unix) authentication
    failure; logname=newbie uid=0 euid=0 tty=tty1 ruser= rhost=
    user=newbie
    Aug 8 11:50:45 localhost login[13538]: pam_krb5:
    pam_sm_authenticate(login newbie): entry:
    ------------------------------------------------------
    (And nothing else - i've tried adding "debug" as many places I could.)



    The AD has a record saying i'm approved:
    ------------------------------------------------------
    Authentication Ticket Request:
    User Name: test
    Supplied Realm Name: REALM.COM
    User ID: REALM\test
    Service Name: krbtgt
    Service ID: REALM\krbtgt
    Ticket Options: 0x50000010
    Result Code: -
    Ticket Encryption Type: 0x17
    Pre-Authentication Type: 2
    Client Address: 1.0.242.250
    Certificate Issuer Name:
    Certificate Serial Number:
    Certificate Thumbprint:

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    ------------------------------------------------------



    If I do a tcpdump i get:
    ------------------------------------------------------
    krbtest:~# tcpdump -s 1500 -x -n -p udp port 88
    11:47:00.506913 IP 1.0.242.250.32874 > 1.0.242.242.88: v5
    0x0000: 4500 00d2 e308 4000 4011 6f25 0100 f2fa
    E.....@.@.o%....
    0x0010: 0100 f2f2 806a 0058 00be 2fc0 6a81 b330
    ......j.X../.j..0
    (snip snip snip)
    ------------------------------------------------------
    4 packets in total - Client->AD, AD->Client, Client->AD, AD->Client.



    Kerberos is installed using Debian packages, login configured by adding
    a line to the end of /etc/pam.d/login:
    ------------------------------------------------------
    (snip)

    @include common-kerberos
    ------------------------------------------------------



    ....where common-kerberos is:
    ------------------------------------------------------
    session required pam_mkhomedir.so skel=/etc/skel/
    umask=0022
    auth sufficient pam_krb5.so try_first_pass forwardable
    debug
    account sufficient pam_krb5.so debug
    password sufficient pam_krb5.so try_first_pass debug
    ------------------------------------------------------
    (I tried to add the user locally (with another pw), and remove
    'pam_mkhomedir.so' but it didnt help... same result)


  2. Re: PAM hangs after authenticating against 2003 AD

    Additional info:

    Local login works using pam_unix...

    Even if I put pam_unix to be optional (ie all passwords are accepted)
    it works - except if I put in the right password from the AD.

    So its something with the kerberos process in pam_krb5...


    j-


  3. Re: PAM hangs after authenticating against 2003 AD

    On 2006-08-08 15:03:46 +0200, "Jesper Angelo" said:

    > Additional info:
    >
    > Local login works using pam_unix...
    >
    > Even if I put pam_unix to be optional (ie all passwords are accepted)
    > it works - except if I put in the right password from the AD.
    >
    > So its something with the kerberos process in pam_krb5...


    Make a local user, login with this new guy and kinit to AD, get any log
    you can if something goes wrong. Work for some time to make sure you're
    not kicked out of the system (I understand this is what happens)
    collecting logs.

    Make clear what you mean by ``hangs for 30 secs''. Do you mean that it
    actually *freezes*? Can you type in the console?

    --
    Sensei

    The optimist thinks this is the best of all possible worlds.
    The pessimist fears it is true. [J. Robert Oppenheimer]


  4. Re: PAM hangs after authenticating against 2003 AD

    Account: newbie ( Created on both AD and local (/etc/passwd) )

    Login with pam_unix yields:
    ----------------------------------------------------------------
    ==> /var/log/auth.log <==
    Aug 9 11:51:11 localhost login[15519]: pam_krb5:
    pam_sm_authenticate(login newbie): entry:
    Aug 9 11:51:11 localhost login[15519]: pam_krb5:
    pam_sm_authenticate(login newbie): krb5_get_init_creds_password():
    Preauthentication failed
    Aug 9 11:51:11 localhost login[15519]: pam_krb5:
    pam_sm_authenticate(login newbie): exit: failure
    Aug 9 11:51:11 localhost login[15519]: pam_krb5:
    pam_sm_authenticate(login newbie): entry:
    Aug 9 11:51:11 localhost login[15519]: pam_krb5:
    pam_sm_authenticate(login newbie): krb5_get_init_creds_password():
    Preauthentication failed
    Aug 9 11:51:11 localhost login[15519]: pam_krb5:
    pam_sm_authenticate(login newbie): exit: failure
    Aug 9 11:51:11 localhost login[15519]: pam_krb5:
    pam_sm_acct_mgmt(login newbie): entry:
    Aug 9 11:51:11 localhost login[15519]: pam_krb5:
    pam_sm_acct_mgmt(login newbie): ccache: not found
    Aug 9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
    newbie): entry:
    Aug 9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
    newbie): pam_get_data(): No module specific data is present
    Aug 9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
    newbie): exit: failure
    Aug 9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
    newbie): entry:
    Aug 9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
    newbie): pam_get_data(): No module specific data is present
    Aug 9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
    newbie): exit: failure
    Aug 9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
    newbie): entry:
    Aug 9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
    newbie): pam_get_data(): No module specific data is present
    Aug 9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
    newbie): exit: failure
    ----------------------------------------------------------------

    Then i kinit... AD says its a success and I get ticket (and it doesnt
    get deleted for a loong time).

    Funny enough - logfile shows nothing :-/ (Even if I kdestory followed
    by kinit...)

    The login freezes in the sense that nothing happens. If I press CTRL-C,
    it exits back to prompt.

    I seems like it authorizes, and then dont know what to do next, thus
    times out after 60 seconds...?


    hope it makes sense :-)


    Jesper Angelo



    Sensei wrote:
    > On 2006-08-08 15:03:46 +0200, "Jesper Angelo" said:
    >
    > > Additional info:
    > >
    > > Local login works using pam_unix...
    > >
    > > Even if I put pam_unix to be optional (ie all passwords are accepted)
    > > it works - except if I put in the right password from the AD.
    > >
    > > So its something with the kerberos process in pam_krb5...

    >
    > Make a local user, login with this new guy and kinit to AD, get any log
    > you can if something goes wrong. Work for some time to make sure you're
    > not kicked out of the system (I understand this is what happens)
    > collecting logs.
    >
    > Make clear what you mean by ``hangs for 30 secs''. Do you mean that it
    > actually *freezes*? Can you type in the console?
    >
    > --
    > Sensei
    >
    > The optimist thinks this is the best of all possible worlds.
    > The pessimist fears it is true. [J. Robert Oppenheimer]



  5. Re: PAM hangs after authenticating against 2003 AD

    On 2006-08-09 12:21:56 +0200, "Jesper Angelo" said:

    > Account: newbie ( Created on both AD and local (/etc/passwd) )


    Well, what I intended was to create a local user and then kinit to a
    principal. So on unix ``localuser'' and on AD ``aduser''.

    > Login with pam_unix yields: [...]
    > Aug 9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
    > newbie): exit: failure


    Remove the pam module from the configuration, and login /locally/. You
    have a kerberos trouble probably.

    > Then i kinit... AD says its a success and I get ticket (and it doesnt
    > get deleted for a loong time).
    >
    > Funny enough - logfile shows nothing :-/ (Even if I kdestory followed
    > by kinit...)


    These applications don't log, sorry.

    > The login freezes in the sense that nothing happens. If I press CTRL-C,
    > it exits back to prompt.


    Mmh...

    > I seems like it authorizes, and then dont know what to do next, thus
    > times out after 60 seconds...?
    >
    >
    > hope it makes sense :-)


    Clear the auth log and login as I said /locally/ with a /pure/ /local/
    user. See what happens working with this user. If you can work and
    you're not kicked out, then kinit to a principal, noting what klist
    (klist -aef --- if you want).

    Then, if you /can/ kinit /and/ work with a local user, post the pam and
    kerberos configuration files.

    --
    Sensei

    The optimist thinks this is the best of all possible worlds.
    The pessimist fears it is true. [J. Robert Oppenheimer]


  6. Re: PAM hangs after authenticating against 2003 AD

    I have trimmed down the configs heavily, so now I still can't login,
    but at least I get a login incorrect. Lets see...

    > Clear the auth log and login as I said /locally/ with a /pure/ /local/
    > user. See what happens working with this user. If you can work and
    > you're not kicked out, then kinit to a principal, noting what klist
    > (klist -aef --- if you want).


    Local login works (login as 'newbie'), which show in logs as:
    ================================================== ==========
    krbtest login: newbie
    Password for newbie: (local password typed in)
    --[LOG]-----------------------------------------------------
    Aug 10 15:28:14 krbtest login[1123]: (pam_unix) session opened for user
    newbie by LOGIN(uid=0)
    ================================================== ==========

    Then kinit to user 'guru' on AD (AD reports user authenticated):
    ================================================== ==========
    newbie@krbtest:~$ kinit guru
    Password for guru@BORSEN-ONLINE.DK:
    newbie@krbtest:~$
    --[LOG]-----------------------------------------------------
    (nothing happens)
    ================================================== ==========

    klist for user shows:
    ================================================== ==========
    newbie@krbtest:~$ klist -aef
    Ticket cache: FILE:/tmp/krb5cc_1001
    Default principal: guru@BORSEN-ONLINE.DK

    Valid starting Expires Service principal
    08/10/06 15:32:27 08/11/06 01:30:45
    krbtgt/BORSEN-ONLINE.DK@BORSEN-ONLINE.DK
    renew until 08/11/06 01:32:27, Flags: RIA
    Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
    Addresses: (none)


    Kerberos 4 ticket cache: /tmp/tkt1001
    klist: You have no tickets cached
    newbie@krbtest:~$
    --[LOG]-----------------------------------------------------
    (nothing happens)
    ================================================== ==========

    Keytab shows (ran as root):
    ================================================== ==========
    krbtest:~# klist -kt
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Timestamp Principal
    ---- -----------------
    --------------------------------------------------------
    5 01/01/70 01:00:00 host/krbtest.borsen-online.dk@BORSEN-ONLINE.DK
    krbtest:~#
    --[LOG]-----------------------------------------------------
    (nothing happens)
    ================================================== ==========

    So far so good. If I then logout, adds krb to login in PAM, and logs
    in, I get:
    ================================================== ==========
    krbtest login: newbie
    Password for newbie@BORSEN-ONLINE.DK: (ad password for newbie typed in)
    Login incorrect

    Login:
    --[LOG]-----------------------------------------------------
    Aug 10 15:37:17 krbtest login[1151]: pam_krb5:
    pam_sm_authenticate(login newbie): entry:
    Aug 10 15:37:22 krbtest login[1151]: pam_krb5: verify_krb_v5_tgt():
    krb5_mk_req(): Server not found in Kerberos database
    Aug 10 15:37:22 krbtest login[1151]: pam_krb5:
    pam_sm_authenticate(login newbie): exit: failure
    Aug 10 15:37:22 krbtest login[1151]: (pam_unix) authentication failure;
    logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=newbie
    Aug 10 15:37:25 krbtest login[1151]: FAILED LOGIN (1) on `tty1' FOR
    `newbie', Permission denied
    ================================================== ==========


    > Then, if you /can/ kinit /and/ work with a local user, post the pam and
    > kerberos configuration files.


    pam conf for login (/etc/pam.d/login):
    ================================================== ==========
    /etc/pam.d/login
    auth sufficient pam_krb5.so debug
    auth sufficient pam_unix.so try_first_pass debug

    password sufficient pam_krb5.so debug
    password sufficient pam_unix.so debug

    account optional pam_krb5.so debug
    account optional pam_unix.so debug

    session optional pam_krb5.so debug
    session optional pam_unix.so debug
    ================================================== ==========

    krb5.conf (/etc/krb5.conf)
    ================================================== ==========
    [logging]
    default = FILE:/var/log/kerberos/krb5libs.log
    kinit = FILE:/var/log/kerberos/kinit.log
    kdc = FILE:/var/log/kerberos/krb5kdc.log
    admin_server = FILE:/var/log/kerberos/kadmind.log

    [libdefaults]
    debug = true
    default_realm = BORSEN-ONLINE.DK
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24000

    [realms]
    BORSEN-ONLINE.DK = {
    kdc = adtest.borsen-online.dk
    admin_server = adtest.borsen-online.dk
    # default_domain = borsen-online.dk
    kpasswd_protocol= SET_CHANGE
    }

    [domain_realm]
    .borsen-online.dk = BORSEN-ONLINE.DK
    # borsen-online.dk = BORSEN-ONLINE.DK

    [login]
    debug = true
    ================================================== ==========


    Hope you or someone else can see whats going on...?


    Thank you,

    Jesper Angelo


  7. Re: PAM hangs after authenticating against 2003 AD

    Just adding - this is what I get in the event log on the AD:

    -------------------------------------------------------------------------
    Authentication Ticket Request:
    User Name: newbie
    Supplied Realm Name: BORSEN-ONLINE.DK
    User ID: ONLINE\newbie
    Service Name: krbtgt
    Service ID: ONLINE\krbtgt
    Ticket Options: 0x10
    Result Code: -
    Ticket Encryption Type: 0x17
    Pre-Authentication Type: 2
    Client Address: 1.0.242.250
    Certificate Issuer Name:
    Certificate Serial Number:
    Certificate Thumbprint:


    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    -------------------------------------------------------------------------


  8. Re: PAM hangs after authenticating against 2003 AD

    On 2006-08-10 15:41:52 +0200, "Jesper Angelo" said:

    > I have trimmed down the configs heavily, so now I still can't login,
    > but at least I get a login incorrect. Lets see...
    >
    >> Clear the auth log and login as I said /locally/ with a /pure/ /local/
    >> user. See what happens working with this user. If you can work and
    >> you're not kicked out, then kinit to a principal, noting what klist
    >> (klist -aef --- if you want).

    >
    > Local login works (login as 'newbie'), which show in logs as:
    > ================================================== ==========
    > krbtest login: newbie
    > Password for newbie: (local password typed in)
    > --[LOG]-----------------------------------------------------
    > Aug 10 15:28:14 krbtest login[1123]: (pam_unix) session opened for user
    > newbie by LOGIN(uid=0)
    > ================================================== ==========
    >
    > Then kinit to user 'guru' on AD (AD reports user authenticated):
    > ================================================== ==========
    > newbie@krbtest:~$ kinit guru
    > Password for guru@BORSEN-ONLINE.DK:
    > newbie@krbtest:~$
    > --[LOG]-----------------------------------------------------
    > (nothing happens)
    > ================================================== ==========


    Should be so.

    > klist for user shows:
    > ================================================== ==========
    > newbie@krbtest:~$ klist -aef
    > Ticket cache: FILE:/tmp/krb5cc_1001
    > Default principal: guru@BORSEN-ONLINE.DK
    >
    > Valid starting Expires Service principal
    > 08/10/06 15:32:27 08/11/06 01:30:45
    > krbtgt/BORSEN-ONLINE.DK@BORSEN-ONLINE.DK
    > renew until 08/11/06 01:32:27, Flags: RIA
    > Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
    > Addresses: (none)
    >
    >
    > Kerberos 4 ticket cache: /tmp/tkt1001
    > klist: You have no tickets cached
    > newbie@krbtest:~$
    > --[LOG]-----------------------------------------------------
    > (nothing happens)
    > ================================================== ==========


    Again, no logging is ever provided for these commands.

    > Keytab shows (ran as root):
    > ================================================== ==========
    > krbtest:~# klist -kt
    > Keytab name: FILE:/etc/krb5.keytab
    > KVNO Timestamp Principal
    > ---- -----------------
    > --------------------------------------------------------
    > 5 01/01/70 01:00:00 host/krbtest.borsen-online.dk@BORSEN-ONLINE.DK
    > krbtest:~#
    > --[LOG]-----------------------------------------------------
    > (nothing happens)
    > ================================================== ==========
    >
    > So far so good.


    Yep, it seems that you can get tickets. Good.

    > If I then logout, adds krb to login in PAM, and logs
    > in, I get:
    > ================================================== ==========
    > krbtest login: newbie
    > Password for newbie@BORSEN-ONLINE.DK: (ad password for newbie typed in)
    > Login incorrect
    >
    > Login:
    > --[LOG]-----------------------------------------------------
    > Aug 10 15:37:17 krbtest login[1151]: pam_krb5:
    > pam_sm_authenticate(login newbie): entry:
    > Aug 10 15:37:22 krbtest login[1151]: pam_krb5: verify_krb_v5_tgt():
    > krb5_mk_req(): Server not found in Kerberos database
    > Aug 10 15:37:22 krbtest login[1151]: pam_krb5:
    > pam_sm_authenticate(login newbie): exit: failure
    > Aug 10 15:37:22 krbtest login[1151]: (pam_unix) authentication failure;
    > logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=newbie
    > Aug 10 15:37:25 krbtest login[1151]: FAILED LOGIN (1) on `tty1' FOR
    > `newbie', Permission denied
    > ================================================== ==========


    Trying to use pam_krb5 and you get a nice

    ``server not found''...

    A question: are the keytab entries /completely/ matching the server
    entries? PAM is a service while kinit is not, and so it's really
    sensible to this errors. Also remember that the keytab must use a FQDN.

    > [libdefaults]
    > debug = true
    > default_realm = BORSEN-ONLINE.DK
    > dns_lookup_realm = true
    > dns_lookup_kdc = true
    > ticket_lifetime = 24000
    >
    > [realms]
    > BORSEN-ONLINE.DK = {
    > kdc = adtest.borsen-online.dk
    > admin_server = adtest.borsen-online.dk
    > # default_domain = borsen-online.dk
    > kpasswd_protocol= SET_CHANGE
    > }
    >
    > [domain_realm]
    > .borsen-online.dk = BORSEN-ONLINE.DK
    > # borsen-online.dk = BORSEN-ONLINE.DK


    Depending on what software you are using, domain_realm could not work.
    I found systems where I needed BOTH mappings, and systems in which i
    needed none of them.

    By 2 cents, sorry

    --
    Sensei

    The optimist thinks this is the best of all possible worlds.
    The pessimist fears it is true. [J. Robert Oppenheimer]


  9. Re: PAM hangs after authenticating against 2003 AD

    pam_krb5 checks if the kdc you talk to is not a fake by using the host
    principal in the default keytab. Look at the traffic on port 88 with
    ethereal and you should see a tgt request for host/server-fqdn. Some pam
    modules have an option to not do this verification, check your man pages.

    Regards
    Markus

    "Sensei" wrote in message
    news:44dcb34d$0$47964$4fafbaef@reader3.news.tin.it ...
    > On 2006-08-10 15:41:52 +0200, "Jesper Angelo" said:
    >
    >> I have trimmed down the configs heavily, so now I still can't login,
    >> but at least I get a login incorrect. Lets see...
    >>
    >>> Clear the auth log and login as I said /locally/ with a /pure/ /local/
    >>> user. See what happens working with this user. If you can work and
    >>> you're not kicked out, then kinit to a principal, noting what klist
    >>> (klist -aef --- if you want).

    >>
    >> Local login works (login as 'newbie'), which show in logs as:
    >> ================================================== ==========
    >> krbtest login: newbie
    >> Password for newbie: (local password typed in)
    >> --[LOG]-----------------------------------------------------
    >> Aug 10 15:28:14 krbtest login[1123]: (pam_unix) session opened for user
    >> newbie by LOGIN(uid=0)
    >> ================================================== ==========
    >>
    >> Then kinit to user 'guru' on AD (AD reports user authenticated):
    >> ================================================== ==========
    >> newbie@krbtest:~$ kinit guru
    >> Password for guru@BORSEN-ONLINE.DK:
    >> newbie@krbtest:~$
    >> --[LOG]-----------------------------------------------------
    >> (nothing happens)
    >> ================================================== ==========

    >
    > Should be so.
    >
    >> klist for user shows:
    >> ================================================== ==========
    >> newbie@krbtest:~$ klist -aef
    >> Ticket cache: FILE:/tmp/krb5cc_1001
    >> Default principal: guru@BORSEN-ONLINE.DK
    >>
    >> Valid starting Expires Service principal
    >> 08/10/06 15:32:27 08/11/06 01:30:45
    >> krbtgt/BORSEN-ONLINE.DK@BORSEN-ONLINE.DK
    >> renew until 08/11/06 01:32:27, Flags: RIA
    >> Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
    >> Addresses: (none)
    >>
    >>
    >> Kerberos 4 ticket cache: /tmp/tkt1001
    >> klist: You have no tickets cached
    >> newbie@krbtest:~$
    >> --[LOG]-----------------------------------------------------
    >> (nothing happens)
    >> ================================================== ==========

    >
    > Again, no logging is ever provided for these commands.
    >
    >> Keytab shows (ran as root):
    >> ================================================== ==========
    >> krbtest:~# klist -kt
    >> Keytab name: FILE:/etc/krb5.keytab
    >> KVNO Timestamp Principal
    >> ---- -----------------
    >> --------------------------------------------------------
    >> 5 01/01/70 01:00:00 host/krbtest.borsen-online.dk@BORSEN-ONLINE.DK
    >> krbtest:~#
    >> --[LOG]-----------------------------------------------------
    >> (nothing happens)
    >> ================================================== ==========
    >>
    >> So far so good.

    >
    > Yep, it seems that you can get tickets. Good.
    >
    >> If I then logout, adds krb to login in PAM, and logs
    >> in, I get:
    >> ================================================== ==========
    >> krbtest login: newbie
    >> Password for newbie@BORSEN-ONLINE.DK: (ad password for newbie typed in)
    >> Login incorrect
    >>
    >> Login:
    >> --[LOG]-----------------------------------------------------
    >> Aug 10 15:37:17 krbtest login[1151]: pam_krb5:
    >> pam_sm_authenticate(login newbie): entry:
    >> Aug 10 15:37:22 krbtest login[1151]: pam_krb5: verify_krb_v5_tgt():
    >> krb5_mk_req(): Server not found in Kerberos database
    >> Aug 10 15:37:22 krbtest login[1151]: pam_krb5:
    >> pam_sm_authenticate(login newbie): exit: failure
    >> Aug 10 15:37:22 krbtest login[1151]: (pam_unix) authentication failure;
    >> logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=newbie
    >> Aug 10 15:37:25 krbtest login[1151]: FAILED LOGIN (1) on `tty1' FOR
    >> `newbie', Permission denied
    >> ================================================== ==========

    >
    > Trying to use pam_krb5 and you get a nice
    >
    > ``server not found''...
    >
    > A question: are the keytab entries /completely/ matching the server
    > entries? PAM is a service while kinit is not, and so it's really sensible
    > to this errors. Also remember that the keytab must use a FQDN.
    >
    >> [libdefaults]
    >> debug = true
    >> default_realm = BORSEN-ONLINE.DK
    >> dns_lookup_realm = true
    >> dns_lookup_kdc = true
    >> ticket_lifetime = 24000
    >>
    >> [realms]
    >> BORSEN-ONLINE.DK = {
    >> kdc = adtest.borsen-online.dk
    >> admin_server = adtest.borsen-online.dk
    >> # default_domain = borsen-online.dk
    >> kpasswd_protocol= SET_CHANGE
    >> }
    >>
    >> [domain_realm]
    >> .borsen-online.dk = BORSEN-ONLINE.DK
    >> # borsen-online.dk = BORSEN-ONLINE.DK

    >
    > Depending on what software you are using, domain_realm could not work. I
    > found systems where I needed BOTH mappings, and systems in which i needed
    > none of them.
    >
    > By 2 cents, sorry
    >
    > --
    > Sensei
    >
    > The optimist thinks this is the best of all possible worlds.
    > The pessimist fears it is true. [J. Robert Oppenheimer]
    >




  10. Re: PAM hangs after authenticating against 2003 AD

    Markus Moeller writes:

    > pam_krb5 checks if the kdc you talk to is not a fake by using the host
    > principal in the default keytab. Look at the traffic on port 88 with
    > ethereal and you should see a tgt request for host/server-fqdn. Some pam
    > modules have an option to not do this verification, check your man
    > pages.


    You shouldn't see a TGT request. You should see a request for a service
    ticket (a KRB_TGS_REQ).

    >>> --[LOG]-----------------------------------------------------
    >>> Aug 10 15:37:17 krbtest login[1151]: pam_krb5:
    >>> pam_sm_authenticate(login newbie): entry:
    >>> Aug 10 15:37:22 krbtest login[1151]: pam_krb5: verify_krb_v5_tgt():
    >>> krb5_mk_req(): Server not found in Kerberos database
    >>> Aug 10 15:37:22 krbtest login[1151]: pam_krb5:
    >>> pam_sm_authenticate(login newbie): exit: failure


    This log message smells like the Debian PAM module. (I just uploaded a
    new version of that module with much better error reporting, btw, but it's
    only in unstable at the moment.) That error message, if coming from the
    Debian PAM module, says that you have a key for the local system in its
    keytab file, but when the server attempted to generate an authenticator
    for that key, the KDC said that the principal didn't exist in the KDC. In
    other words, I would suspect either an outdated keytab file or a keytab
    file for some realm other than the system's default realm.

    --
    Russ Allbery (rra@stanford.edu)

  11. Re: PAM hangs after authenticating against 2003 AD

    You still have "Server not found in Kerberos database" in your log. Could
    you capture the TGS REQ and reply with ethereal ?
    Sometime the issue is a wrong hosts entry (e.g. the shorthostname is in
    front of the FQDN).

    Markus

    "Jesper Angelo" wrote in message
    news:1155217312.436481.42170@h48g2000cwc.googlegro ups.com...
    >I have trimmed down the configs heavily, so now I still can't login,
    > but at least I get a login incorrect. Lets see...
    >
    >> Clear the auth log and login as I said /locally/ with a /pure/ /local/
    >> user. See what happens working with this user. If you can work and
    >> you're not kicked out, then kinit to a principal, noting what klist
    >> (klist -aef --- if you want).

    >
    > Local login works (login as 'newbie'), which show in logs as:
    > ================================================== ==========
    > krbtest login: newbie
    > Password for newbie: (local password typed in)
    > --[LOG]-----------------------------------------------------
    > Aug 10 15:28:14 krbtest login[1123]: (pam_unix) session opened for user
    > newbie by LOGIN(uid=0)
    > ================================================== ==========
    >
    > Then kinit to user 'guru' on AD (AD reports user authenticated):
    > ================================================== ==========
    > newbie@krbtest:~$ kinit guru
    > Password for guru@BORSEN-ONLINE.DK:
    > newbie@krbtest:~$
    > --[LOG]-----------------------------------------------------
    > (nothing happens)
    > ================================================== ==========
    >
    > klist for user shows:
    > ================================================== ==========
    > newbie@krbtest:~$ klist -aef
    > Ticket cache: FILE:/tmp/krb5cc_1001
    > Default principal: guru@BORSEN-ONLINE.DK
    >
    > Valid starting Expires Service principal
    > 08/10/06 15:32:27 08/11/06 01:30:45
    > krbtgt/BORSEN-ONLINE.DK@BORSEN-ONLINE.DK
    > renew until 08/11/06 01:32:27, Flags: RIA
    > Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
    > Addresses: (none)
    >
    >
    > Kerberos 4 ticket cache: /tmp/tkt1001
    > klist: You have no tickets cached
    > newbie@krbtest:~$
    > --[LOG]-----------------------------------------------------
    > (nothing happens)
    > ================================================== ==========
    >
    > Keytab shows (ran as root):
    > ================================================== ==========
    > krbtest:~# klist -kt
    > Keytab name: FILE:/etc/krb5.keytab
    > KVNO Timestamp Principal
    > ---- -----------------
    > --------------------------------------------------------
    > 5 01/01/70 01:00:00 host/krbtest.borsen-online.dk@BORSEN-ONLINE.DK
    > krbtest:~#
    > --[LOG]-----------------------------------------------------
    > (nothing happens)
    > ================================================== ==========
    >
    > So far so good. If I then logout, adds krb to login in PAM, and logs
    > in, I get:
    > ================================================== ==========
    > krbtest login: newbie
    > Password for newbie@BORSEN-ONLINE.DK: (ad password for newbie typed in)
    > Login incorrect
    >
    > Login:
    > --[LOG]-----------------------------------------------------
    > Aug 10 15:37:17 krbtest login[1151]: pam_krb5:
    > pam_sm_authenticate(login newbie): entry:
    > Aug 10 15:37:22 krbtest login[1151]: pam_krb5: verify_krb_v5_tgt():
    > krb5_mk_req(): Server not found in Kerberos database
    > Aug 10 15:37:22 krbtest login[1151]: pam_krb5:
    > pam_sm_authenticate(login newbie): exit: failure
    > Aug 10 15:37:22 krbtest login[1151]: (pam_unix) authentication failure;
    > logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=newbie
    > Aug 10 15:37:25 krbtest login[1151]: FAILED LOGIN (1) on `tty1' FOR
    > `newbie', Permission denied
    > ================================================== ==========
    >
    >
    >> Then, if you /can/ kinit /and/ work with a local user, post the pam and
    >> kerberos configuration files.

    >
    > pam conf for login (/etc/pam.d/login):
    > ================================================== ==========
    > /etc/pam.d/login
    > auth sufficient pam_krb5.so debug
    > auth sufficient pam_unix.so try_first_pass debug
    >
    > password sufficient pam_krb5.so debug
    > password sufficient pam_unix.so debug
    >
    > account optional pam_krb5.so debug
    > account optional pam_unix.so debug
    >
    > session optional pam_krb5.so debug
    > session optional pam_unix.so debug
    > ================================================== ==========
    >
    > krb5.conf (/etc/krb5.conf)
    > ================================================== ==========
    > [logging]
    > default = FILE:/var/log/kerberos/krb5libs.log
    > kinit = FILE:/var/log/kerberos/kinit.log
    > kdc = FILE:/var/log/kerberos/krb5kdc.log
    > admin_server = FILE:/var/log/kerberos/kadmind.log
    >
    > [libdefaults]
    > debug = true
    > default_realm = BORSEN-ONLINE.DK
    > dns_lookup_realm = true
    > dns_lookup_kdc = true
    > ticket_lifetime = 24000
    >
    > [realms]
    > BORSEN-ONLINE.DK = {
    > kdc = adtest.borsen-online.dk
    > admin_server = adtest.borsen-online.dk
    > # default_domain = borsen-online.dk
    > kpasswd_protocol= SET_CHANGE
    > }
    >
    > [domain_realm]
    > .borsen-online.dk = BORSEN-ONLINE.DK
    > # borsen-online.dk = BORSEN-ONLINE.DK
    >
    > [login]
    > debug = true
    > ================================================== ==========
    >
    >
    > Hope you or someone else can see whats going on...?
    >
    >
    > Thank you,
    >
    > Jesper Angelo
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread