LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 05-26-2009, 11:41 AM   #1
zachet
LQ Newbie
 
Registered: May 2009
Posts: 20

Rep: Reputation: 0
[Solved - Clock] RHEL5: Kerberos Authentication


The Explanation:

I am currently in the process of trying to get RHEL5 to properly authenticate to Kerberos.


The problem:

I have created a test account corresponding to the Username within the Kerberos server, all attempts to switch/login to this user using the Kerberos set password fail.

If I issue a $kinit <username> it will than allow me to login to the username following Kerberos authentication however it is not automatically fetching this information, it has to be manually entered every time (the kinit).

Description(s):

2.6.18-128.1.10.el5


It appears I already had all the packages needed pre-installed during the installation of RHEL5...

Results of (typed) $rpm -qa | grep krb

Code:
krb5-auth-dialog-0.7-1
krb5-libs-1.6.1-31.el5_3.3
krb5-workstation-1.6.1-31.el5_3.3
pam_krb5-2.2.14-10
Initially I went to System > Administration > Authentication

Checked the pretty box named Kerberos and manually replaced the /etc/krb5.conf with an appropriate one.

This is the contents of /etc/pam.d/system-auth (unchanged by hand):

Code:
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Unfortunality I can't find any documentation to help with this issue or perhaps I am just not aware of what to look for properly.

Last edited by zachet; 05-26-2009 at 01:28 PM. Reason: Solved
 
Old 05-26-2009, 12:23 PM   #2
glennt11
LQ Newbie
 
Registered: Aug 2004
Location: NY
Distribution: Ubuntu,Red Hat,Centos 5
Posts: 29

Rep: Reputation: 0
Do you have SELinux running? Might be an issue with permissions from it there. You can check your logs (/var/log/messages and /var/log/audit/audit.log) to see if there are any clues of it flagging your login attempts. Since you're able to login using $kinit <username> it's obvious the login your using is correct, something is blocking access to it...and I'll bet it's SELinux if you do have that enabled.
 
Old 05-26-2009, 01:08 PM   #3
zachet
LQ Newbie
 
Registered: May 2009
Posts: 20

Original Poster
Rep: Reputation: 0
I went ahead and disabled SELinux, it's taking a moment longer on checking the password however it is still returning with an "su: incorrect password".

I went through the logs didn't notice anything too distinguishing, if needed I will drag them out here and just replace the username with <username>.

I deleted and recreated the user I was using verifying the UID was over 1000 and deleted the /tmp/krb* cache, still nothing.



[UPDATE -- SOLVED]


The 'time' on the machine was an hour off, resolved -_-

Last edited by zachet; 05-26-2009 at 01:22 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
using kerberos for login authentication narendra.pant Red Hat 0 09-11-2007 03:31 PM
Kerberos Authentication in SUSE 10.1 paranoid_buddha Suse/Novell 1 06-13-2006 11:28 AM
Kerberos Authentication Comatose51 Linux - Security 2 08-30-2005 06:44 AM
Kerberos Authentication cwinter00 Linux - Security 1 06-16-2005 12:56 PM
Authentication via Kerberos grubjo Linux - Security 0 07-30-2004 11:48 AM


All times are GMT -5. The time now is 05:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration