I think I see part of the problem, and don't know who is
to "blame" for it.

The command 'kdb5_util create -r RCF.FOO.COM -s' created
krbtgt/RCF.FOO.COM@RCF.FOO.COM

The authentication process is trying to find
krbtgt/rcf.foo.com@RCF.FOO.COM which does not exist.

Is kdb5_util creating an improperly named krbtgt principal
or is RHELv4 pam_krb5.so improperly naming its requested
principal (lowercasing it)?

Jeff Blaine wrote:
> Hi Russ,
>
> > Your PAM module seems to be probing for a default realm by
> > trying various manipulations of your local hostname. Usually
> > this would indicate that your krb5.conf isn't setting a local
> > realm.
>
> Here's /etc/krb5.conf. Using 'kinit jblaine' asks me for
> the password for jblaine@RCF.FOO.COM, so I believe it is
> using krb5.conf fine.
>
> [libdefaults]
> default_realm = RCF.FOO.COM
> forwardable = yes
>
> [appdefaults]
> forwardable = yes
>
> [domain_realm]
> .foo.com = RCF.FOO.COM
> foo.com = RCF.FOO.COM
>
> [realms]
> RCF.FOO.COM = {
> kdc = kdc.foo.com
> admin_server = kdc.foo.com
> }
>
> [logging]
> kdc = FILE:/var/adm/krb5kdc.log
> admin_server = FILE:/var/adm/kadmin.log
> default = FILE:/var/adm/krb5lib.log
>
> > Does the stock pam_krb5.so on Solaris look for krb5.conf in
> > some different path than the one that you updated, perhaps?
>
> The only Solaris box in the picture is the KDC, kdc.foo.com.
>
> pam_krb5.so is in use on the client, rcf-kerbtest-linux.foo.com
> (aka 129.83.11.213).
>
> All pam_krb5.so modules in use are stock.
>
> >> Apr 23 15:10:44 kdc.foo.com krb5kdc[12698](info): TGS_REQ
> >> (1 etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1177355435,
> >> jblaine@RCF.FOO.COM for afsx/rcf.foo.com@RCF.FOO.COM, Server not
> >> found in Kerberos database
> >
> > These are interesting. I've not heard of afsx before. What aklog
> > are you using?
>
> Interesting indeed. OpenAFS 1.4.3 aklog.
>
> I just found the reference in the RHELv4 pam_krb5.so
> on the client box:
>
> # strings /lib/security/pam_krb5.so | grep afsx
> afsx
> #
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

>The authentication process is trying to find
>krbtgt/rcf.foo.com@RCF.FOO.COM which does not exist.
>
>Is kdb5_util creating an improperly named krbtgt principal
>or is RHELv4 pam_krb5.so improperly naming its requested
>principal (lowercasing it)?

As a guess, I believe that pam_krb5.so thinks that it needs to authenticate
to the realm rcf.foo.com, so it's asking for a cross-realm ticket to go
between rcf.foo.com and RCF.FOO.COM. I don't see anything in your
krb5.conf that would make it think that, but something is hinky here.

(It's definately not a problem on your KDC, FWIW).

--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

I believe I am chalking this (original reported issue)
up to a broken sshd_config, believe it or not. All of
the crazy UNKNOWN_SERVER errors are gone.

UsePAM was yes, ChallengeResponseAuthentication was "no"
so no PAM auth was being used. Don't ask me how, but I
was getting in somehow and getting creds after a 10sec
delay and the spammy errors.

I forced all GSSAPI and Kerberos options to "no" and left
ChallengeResponseAuthentication and UsePAM as "yes".

NOW I get right in ... and *end up with no stored* krb5
credentials. krb5kdc.log shows them acquired.

client sshd[19529]: pam_krb5[19529]: configured realm 'RCF.FOO.COM'
client sshd[19529]: pam_krb5[19529]: flags: forwardable
client sshd[19529]: pam_krb5[19529]: flag: no ignore_afs

^^^ HUH? Flag not even in man page.

client sshd[19529]: pam_krb5[19529]: flag: user_check
client sshd[19529]: pam_krb5[19529]: flag: no krb4_convert

^^^ NOTE

client sshd[19529]: pam_krb5[19529]: flag: warn
client sshd[19529]: pam_krb5[19529]: ticket lifetime: 0
client sshd[19529]: pam_krb5[19529]: renewable lifetime: 0
client sshd[19529]: pam_krb5[19529]: minimum uid: 100
client sshd[19529]: pam_krb5[19529]: banner: Kerberos 5
client sshd[19529]: pam_krb5[19529]: ccache dir: /tmp
client sshd[19529]: pam_krb5[19529]: keytab: /etc/krb5.keytab
client sshd[19529]: pam_krb5[19529]: called to authenticate 'jblaine'
client sshd[19529]: pam_krb5[19529]: authenticating 'jblaine@RCF.FOO.COM'
client sshd[19529]: pam_krb5[19529]: saving newly-entered password for
use by other modules
client sshd[19529]: pam_krb5[19529]: trying newly-entered password for
'jblaine'
client sshd[19529]: pam_krb5[19529]: authenticating
'jblaine@RCF.FOO.COM' to 'krbtgt/RCF.FOO.COM@RCF.FOO.COM'
client sshd[19529]: pam_krb5[19529]:
krb5_get_init_creds_password(krbtgt/RCF.FOO.COM@RCF.FOO.COM) returned 0
(Success)
client sshd[19529]: pam_krb5[19529]: got result 0 (Success)
client sshd[19529]: pam_krb5[19529]: obtaining v4-compatible key

^^^ WHY!?

client sshd[19529]: pam_krb5[19529]: obtained des-cbc-crc v5 creds
client sshd[19529]: pam_krb5[19529]: converting v5 creds to v4 creds
(etype = 1)
client sshd[19529]: pam_krb5[19529]: conversion failed: -1765328228
(Cannot contact any KDC for requested realm)

^^^ GRRRR

client sshd[19529]: pam_krb5[19529]: obtaining initial v4 creds
client sshd[19529]: pam_krb5[19529]: converted principal to
'jblaine'[.]''@'RCF.FOO.COM'
client sshd[19529]: pam_krb5[19529]: preparing to place v4 credentials
in '/tmp/tkt26560_Hf9DpJ'
client sshd[19529]: pam_krb5[19529]: could not obtain initial v4 creds:
7 (Argument list too long)
client sshd[19529]: pam_krb5[19529]: error obtaining v4 creds: 57
(Invalid slot)

^^^ WTF?

client sshd[19529]: pam_krb5[19529]: authentication succeeds for
'jblaine' (jblaine@RCF.FOO.COM)
client sshd[19529]: pam_krb5[19529]: pam_authenticate returning 0 (Success)

============== KDC REPORTS JUST THEN ================================
kdc krb5kdc[1862](info): AS_REQ (7 etypes {18 17 16 23 1 3 2})
129.83.11.213: ISSUE: authtime 1177969934, etypes {rep=16 tkt=16
ses=16}, jblaine@RCF.FOO.COM for krbtgt/RCF.FOO.COM@RCF.FOO.COM

kdc krb5kdc[1862](info): TGS_REQ (1 etypes {1}) 129.83.11.213: ISSUE:
authtime 1177969934, etypes {rep=16 tkt=16 ses=1}, jblaine@RCF.FOO.COM
for krbtgt/RCF.FOO.COM@RCF.FOO.COM
============== END KDC REPORT =======================================

client sshd[19527]: Accepted keyboard-interactive/pam for jblaine from
::ffff:129.83.10.14 port 43521 ssh2
client sshd(pam_unix)[19530]: session opened for user jblaine by (uid=0)
client sshd[19530]: pam_krb5[19530]: configured realm 'RCF.FOO.COM'
client sshd[19530]: pam_krb5[19530]: flags: forwardable
client sshd[19530]: pam_krb5[19530]: flag: no ignore_afs
client sshd[19530]: pam_krb5[19530]: flag: user_check
client sshd[19530]: pam_krb5[19530]: flag: no krb4_convert
client sshd[19530]: pam_krb5[19530]: flag: warn
client sshd[19530]: pam_krb5[19530]: ticket lifetime: 0
client sshd[19530]: pam_krb5[19530]: renewable lifetime: 0
client sshd[19530]: pam_krb5[19530]: minimum uid: 100
client sshd[19530]: pam_krb5[19530]: banner: Kerberos 5
client sshd[19530]: pam_krb5[19530]: ccache dir: /tmp
client sshd[19530]: pam_krb5[19530]: keytab: /etc/krb5.keytab
client sshd[19530]: pam_krb5[19530]: no v5 creds for user 'jblaine',
skipping session setup

^^^ NOTE

client sshd[19530]: pam_krb5[19530]: pam_open_session returning 0 (Success)
client sshd[19530]: (pam_afs_session): pam_sm_open_session: entry (0x0)
client sshd[19530]: (pam_afs_session): skipping, no Kerberos ticket cache

^^^ NOTE

client sshd[19530]: (pam_afs_session): pam_sm_open_session: exit (success)
client sshd[19530]: pam_krb5[19530]: configured realm 'RCF.FOO.COM'
client sshd[19530]: pam_krb5[19530]: flags: forwardable
client sshd[19530]: pam_krb5[19530]: flag: no ignore_afs
client sshd[19530]: pam_krb5[19530]: flag: user_check
client sshd[19530]: pam_krb5[19530]: flag: no krb4_convert
client sshd[19530]: pam_krb5[19530]: flag: warn
client sshd[19530]: pam_krb5[19530]: ticket lifetime: 0
client sshd[19530]: pam_krb5[19530]: renewable lifetime: 0
client sshd[19530]: pam_krb5[19530]: minimum uid: 100
client sshd[19530]: pam_krb5[19530]: banner: Kerberos 5
client sshd[19530]: pam_krb5[19530]: ccache dir: /tmp
client sshd[19530]: pam_krb5[19530]: keytab: /etc/krb5.keytab
client sshd[19530]: pam_krb5[19530]: called to update credentials for
'jblaine'
client sshd[19530]: pam_krb5[19530]: _pam_krb5_sly_refresh returning 0
(Success)

================================================== ====================

debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
....
~:client> /usr/kerberos/bin/klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_26560)


Kerberos 4 ticket cache: /tmp/tkt26560
klist: You have no tickets cached
~:client>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos