RHEL5: Kerberos Authentication

zachet · 05-26-2009, 11:41 AM

The Explanation:

I am currently in the process of trying to get RHEL5 to properly authenticate to Kerberos.

The problem:

I have created a test account corresponding to the Username within the Kerberos server, all attempts to switch/login to this user using the Kerberos set password fail.

If I issue a $kinit <username> it will than allow me to login to the username following Kerberos authentication however it is not automatically fetching this information, it has to be manually entered every time (the kinit).

Description(s):

2.6.18-128.1.10.el5

It appears I already had all the packages needed pre-installed during the installation of RHEL5...

Results of (typed) $rpm -qa | grep krb

Code:

krb5-auth-dialog-0.7-1
krb5-libs-1.6.1-31.el5_3.3
krb5-workstation-1.6.1-31.el5_3.3
pam_krb5-2.2.14-10

Initially I went to System > Administration > Authentication

Checked the pretty box named Kerberos and manually replaced the /etc/krb5.conf with an appropriate one.

This is the contents of /etc/pam.d/system-auth (unchanged by hand):

Code:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Unfortunality I can't find any documentation to help with this issue or perhaps I am just not aware of what to look for properly.

glennt11 · 05-26-2009, 12:23 PM

Do you have SELinux running? Might be an issue with permissions from it there. You can check your logs (/var/log/messages and /var/log/audit/audit.log) to see if there are any clues of it flagging your login attempts. Since you're able to login using $kinit <username> it's obvious the login your using is correct, something is blocking access to it...and I'll bet it's SELinux if you do have that enabled.

zachet · 05-26-2009, 01:08 PM

I went ahead and disabled SELinux, it's taking a moment longer on checking the password however it is still returning with an "su: incorrect password".

I went through the logs didn't notice anything too distinguishing, if needed I will drag them out here and just replace the username with <username>.

I deleted and recreated the user I was using verifying the UID was over 1000 and deleted the /tmp/krb* cache, still nothing.

[UPDATE -- SOLVED]

The 'time' on the machine was an hour off, resolved -_-