LinuxAnswers - the LQ Linux tutorial section.
Go Back > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Fedora This forum is for the discussion of the Fedora Project.


  Search this Thread
Old 01-17-2008, 04:26 PM   #1
LQ Newbie
Registered: Jan 2008
Posts: 5

Rep: Reputation: 0
fc6 kinit works, pam_krb5 fails

Hi All,

I have a public school I'm administering, and darned if some of those kids aren't extremely linux savy. Dont want them getting at the faculty data, so I want to get some better security than what is offered by normal NFSv3. As a result, I've been setting up NFSv4 with Kerberos.

The good news, I've set it up and it works fine. I have a Fedora 6 server and a Fedora 7 client, behavior is as expected. I can kinit, get my TGT, and access NFSv4 share nice as you please.

The bad news, I cant seem to get pam_krb5 to succeed in fetching a TGT during login. I've tried everything, many sleepless nights, even took a look at the source code which really put me in my place. :/ Not something I'm going to figure out on my own.

My pam system-auth is the default Fedora 7 that is setup by system-config-authentication; I've atached it at the bottom of this post. I turned on pam_krb5 debug to collect log information and this is what I see;

Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@EXAMPLE.COM) returned -1765328353 (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: got result -1765328353 (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: authentication fails for 'bobh' (bobh@EXAMPLE.COM): Authentication failure (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: pam_authenticate returning 7 (Authentication failure)

However, if I first manually kinit from the account to get a TGT, I get a successful result in the logs as follows.

Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@EXAMPLE.COM) returned 0 (Success)
Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: got result 0 (Success)
Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: authentication succeeds for 'bobh' (bobh@EXAMPLE.COM)
Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: pam_authenticate returning 0 (Success)

In the case when I dont kinit the account before doing the ssh, I see no credentials file created in the tmp directory by pam_krb5.
In the case where there is success, I see a credential file created in the tmp directory which is properly destroyed after logout.

Anyone able to help me?

Thanks in advance,

- system-auth
auth required
auth sufficient nullok try_first_pass
auth requisite uid >= 500 quiet
auth sufficient use_first_pass
auth required

account required broken_shadow
account sufficient
account sufficient uid < 500 quiet
account [default=bad success=ok user_unknown=ignore]
account required

password requisite try_first_pass retry=3
password sufficient md5 shadow nis nullok try_first_pass use_authtok
password sufficient use_authtok
password required

session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required
session optional


kerberos, nfsv4, pamkrb5

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
kerberos kinit gets TGT, pam_krb5 wont get TGT Bobism Linux - Security 3 01-21-2008 06:47 PM
FC6 installs but fails to display anything at runtime. Satadru Sengupta Linux - General 4 02-22-2007 01:13 AM
FC6 Upgrade, update then fails to boot saywot Fedora 1 10-28-2006 07:36 AM
Preauthentication fails with on debian edgood1 Linux - Software 0 03-07-2006 11:58 AM fails to retreive ticket nilecirb Linux - Networking 0 07-30-2005 12:06 AM

All times are GMT -5. The time now is 02:30 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration