Linux Login Failure - Kerberos

This is a discussion on Linux Login Failure - Kerberos ; Kerberos 5 is configured for an OpenSuse machine. Login always fails for normal users except for 'root' (/bin/login should be used instead of the version of kerberized login.krb5 shipped with K5 installation package. But the following message shows that this ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Linux Login Failure

  1. Linux Login Failure

    Kerberos 5 is configured for an OpenSuse machine.
    Login always fails for normal users except for 'root'
    (/bin/login should be used instead of the version of
    kerberized login.krb5 shipped with K5 installation
    package. But the following message shows that this
    /bin/login is kerberized since it reports kerberos
    authentication failure upon linux login.). The
    krb5kdc.log looks ok. But there is some error message
    in syslog.

    [krb5kdc.log]
    Jun 26 10:32:03 mymachine krb5kdc[14079](info): AS_REQ
    (7 etypes {18 17 16 23 1 3 2}) 192.168.1.101: ISSUE:
    authtime 1182871923, etypes {rep=16 tkt=16 ses=16},
    tester@MYDOMAIN for krbtgt/MYDOMAIN@MYDOMAIN

    [/var/log/messages]
    Jun 26 09:59:10 mymachine kdm: :1[14582]:
    pam_krb5[14582]: authentication fails for 'tester'
    (tester@MYDOMAIN): Authentication failure (Decrypt
    integrity check failed)

    'tester' is added both as a local user and as a
    principal in kerberos. 'tester' can logon w/o problem
    before K5 is installed. The problem appears when logon
    locally on the machine as 'tester' or other normal
    users.

    >From the pam_krb5 error message, some googled results

    suggest this:

    [google]

    Cause:

    You might have an invalid ticket.
    Solution:

    Verify both of these conditions:

    *

    Make sure that your credentials are valid.
    Destroy your tickets with kdestroy, and create new
    tickets with kinit.
    *

    Make sure that the target host has a keytab file
    with the correct version of the service key. Use
    kadmin to view the key version number of the service
    principal (for example, host/FQDN-hostname) in the
    Kerberos database. Also, use klist -k on the target
    host to make sure that it has the same key version
    number.
    [/google]

    So, from this, I used the following commands to varify
    if principals use the same key as 'host' of master
    kdc.

    After check with the command 'klist -k' it shows:

    KVNO Principal
    ----
    --------------------------------------------------------------------------
    3 host/mymachine@MYDOMAIN
    3 host/mymachine@MYDOMAIN

    Then, run 'kadmin.local:get_principal host/mymachine
    Principal: host/mymachine@MYDOMAIN
    Expiration date: [never]
    Last password change: Tue Jun 26 09:58:41 CDT 2007
    Password expiration date: [none]
    Maximum ticket life: 1 day 00:00:00
    Maximum renewable life: 0 days 00:00:00
    Last modified: Tue Jun 26 09:58:41 CDT 2007
    (tester/admin@MYDOMAIN)
    Last successful authentication: [never]
    Last failed authentication: [never]
    Failed password attempts: 0
    Number of keys: 2
    Key: vno 3, Triple DES cbc mode with HMAC/sha1, no
    salt
    Key: vno 3, DES cbc mode with CRC-32, no salt
    Attributes:
    Policy: [none]

    So, it seems ok(?). The error messages seems to me
    that there is some discrepancy between service key of
    master kdc and the one used for principal? But to
    ensure everything is ok, this is the order:
    - create host/mymachine@MYDOMAIN principal
    - extract host keytab for above principal to
    /etc/krb5.keytab
    - add principal for 'tester'

    Any thoughts? Thanks



    __________________________________________________ __________________________________
    Don't pick lemons.
    See all the new 2007 cars at Yahoo! Autos.
    http://autos.yahoo.com/new_cars.html
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Linux Login Failure

    Found the problem. "kerberos client" was enabled in
    YaST in OpenSuse. Maybe there is some conflict w/ the
    Krb5 version downloaded and installed and there is
    some configuration problem as well. Though I've not
    figured out detail, clearly, with "kerberos client"
    enabled, /bin/login uses pam_krb5 for authentication
    and it confused to find wrong keys or something.
    Anyway, there is no logon problem anymore after I
    disabled "kerberos client" from YaST console.

    Hope some guru (OpenSuse?) can post some explanation
    for what authentication really works when "kerberos
    client" is enabled in YaST console.

    Thanks for your attention.


    --- jiang licht wrote:

    > Kerberos 5 is configured for an OpenSuse machine.
    > Login always fails for normal users except for
    > 'root'
    > (/bin/login should be used instead of the version of
    > kerberized login.krb5 shipped with K5 installation
    > package. But the following message shows that this
    > /bin/login is kerberized since it reports kerberos
    > authentication failure upon linux login.). The
    > krb5kdc.log looks ok. But there is some error
    > message
    > in syslog.
    >
    > [krb5kdc.log]
    > Jun 26 10:32:03 mymachine krb5kdc[14079](info):
    > AS_REQ
    > (7 etypes {18 17 16 23 1 3 2}) 192.168.1.101: ISSUE:
    > authtime 1182871923, etypes {rep=16 tkt=16 ses=16},
    > tester@MYDOMAIN for krbtgt/MYDOMAIN@MYDOMAIN
    >
    > [/var/log/messages]
    > Jun 26 09:59:10 mymachine kdm: :1[14582]:
    > pam_krb5[14582]: authentication fails for 'tester'
    > (tester@MYDOMAIN): Authentication failure (Decrypt
    > integrity check failed)
    >
    > 'tester' is added both as a local user and as a
    > principal in kerberos. 'tester' can logon w/o
    > problem
    > before K5 is installed. The problem appears when
    > logon
    > locally on the machine as 'tester' or other normal
    > users.
    >
    > >From the pam_krb5 error message, some googled

    > results
    > suggest this:
    >
    > [google]
    >
    > Cause:
    >
    > You might have an invalid ticket.
    > Solution:
    >
    > Verify both of these conditions:
    >
    > *
    >
    > Make sure that your credentials are valid.
    > Destroy your tickets with kdestroy, and create new
    > tickets with kinit.
    > *
    >
    > Make sure that the target host has a keytab
    > file
    > with the correct version of the service key. Use
    > kadmin to view the key version number of the service
    > principal (for example, host/FQDN-hostname) in the
    > Kerberos database. Also, use klist -k on the target
    > host to make sure that it has the same key version
    > number.
    > [/google]
    >
    > So, from this, I used the following commands to
    > varify
    > if principals use the same key as 'host' of master
    > kdc.
    >
    > After check with the command 'klist -k' it shows:
    >
    > KVNO Principal
    > ----
    >

    --------------------------------------------------------------------------
    > 3 host/mymachine@MYDOMAIN
    > 3 host/mymachine@MYDOMAIN
    >
    > Then, run 'kadmin.local:get_principal host/mymachine
    > Principal: host/mymachine@MYDOMAIN
    > Expiration date: [never]
    > Last password change: Tue Jun 26 09:58:41 CDT 2007
    > Password expiration date: [none]
    > Maximum ticket life: 1 day 00:00:00
    > Maximum renewable life: 0 days 00:00:00
    > Last modified: Tue Jun 26 09:58:41 CDT 2007
    > (tester/admin@MYDOMAIN)
    > Last successful authentication: [never]
    > Last failed authentication: [never]
    > Failed password attempts: 0
    > Number of keys: 2
    > Key: vno 3, Triple DES cbc mode with HMAC/sha1, no
    > salt
    > Key: vno 3, DES cbc mode with CRC-32, no salt
    > Attributes:
    > Policy: [none]
    >
    > So, it seems ok(?). The error messages seems to me
    > that there is some discrepancy between service key
    > of
    > master kdc and the one used for principal? But to
    > ensure everything is ok, this is the order:
    > - create host/mymachine@MYDOMAIN principal
    > - extract host keytab for above principal to
    > /etc/krb5.keytab
    > - add principal for 'tester'
    >
    > Any thoughts? Thanks
    >
    >
    >
    >

    __________________________________________________ __________________________________
    > Don't pick lemons.
    > See all the new 2007 cars at Yahoo! Autos.
    > http://autos.yahoo.com/new_cars.html
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >





    __________________________________________________ __________________________________
    Expecting? Get great news right away with email Auto-Check.
    Try the Yahoo! Mail Beta.
    http://advision.webevents.yahoo.com/...ail_tools.html
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread