LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
Search this Thread
Old 01-17-2008, 03:26 PM   #1
Bobism
LQ Newbie
 
Registered: Jan 2008
Posts: 5

Rep: Reputation: 0
fc6 kinit works, pam_krb5 fails


Hi All,

I have a public school I'm administering, and darned if some of those kids aren't extremely linux savy. Dont want them getting at the faculty data, so I want to get some better security than what is offered by normal NFSv3. As a result, I've been setting up NFSv4 with Kerberos.

The good news, I've set it up and it works fine. I have a Fedora 6 server and a Fedora 7 client, behavior is as expected. I can kinit, get my TGT, and access NFSv4 share nice as you please.

The bad news, I cant seem to get pam_krb5 to succeed in fetching a TGT during login. I've tried everything, many sleepless nights, even took a look at the source code which really put me in my place. :/ Not something I'm going to figure out on my own.

My pam system-auth is the default Fedora 7 that is setup by system-config-authentication; I've atached it at the bottom of this post. I turned on pam_krb5 debug to collect log information and this is what I see;

Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@EXAMPLE.COM) returned -1765328353 (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: got result -1765328353 (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: authentication fails for 'bobh' (bobh@EXAMPLE.COM): Authentication failure (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: pam_authenticate returning 7 (Authentication failure)

However, if I first manually kinit from the account to get a TGT, I get a successful result in the logs as follows.

Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@EXAMPLE.COM) returned 0 (Success)
Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: got result 0 (Success)
Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: authentication succeeds for 'bobh' (bobh@EXAMPLE.COM)
Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: pam_authenticate returning 0 (Success)

In the case when I dont kinit the account before doing the ssh, I see no credentials file created in the tmp directory by pam_krb5.
In the case where there is success, I see a credential file created in the tmp directory which is properly destroyed after logout.

Anyone able to help me?

Thanks in advance,
Bob





- system-auth
---------------------
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
 
  


Reply

Tags
kerberos, nfsv4, pamkrb5


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
kerberos kinit gets TGT, pam_krb5 wont get TGT Bobism Linux - Security 3 01-21-2008 05:47 PM
FC6 installs but fails to display anything at runtime. Satadru Sengupta Linux - General 4 02-22-2007 12:13 AM
FC6 Upgrade, update then fails to boot saywot Fedora 1 10-28-2006 06:36 AM
Preauthentication fails with pam_krb5.so on debian edgood1 Linux - Software 0 03-07-2006 10:58 AM
pam_krb5.so fails to retreive ticket nilecirb Linux - Networking 0 07-29-2005 11:06 PM


All times are GMT -5. The time now is 11:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration