LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-23-2011, 05:01 PM   #1
erick.brown
LQ Newbie
 
Registered: Mar 2010
Posts: 7

Rep: Reputation: 0
Kerberos/LDAP Desktop Login - Authentication failure


I have a CentOS 5.6 server operating as a Kerberos 5 KDC and an OpenLDAP server. I have a Fedora 15 client that I am trying to to desktop login authentication through the Kerberos/LDAP server. It's not working.

I can successfully kinit from both the server and the client on the command line, and likewise ldapsearch works from the command line on both the client and the server.

When I try to log into the client using a Kerberos/LDAP username/password, it simply says 'Authentication failure'

I've included what I hope are the relevant configuration files and log entries from both the client and the server. Thanks in advance for any thoughts, advice, or solutions


Here's the configuration and log files from the server:
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = IMAGENET
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
IMAGENET = {
kdc = imagehost:88
admin_server = imagehost:749
default_domain = imagenet
}

[domain_realm]
.imagenet = IMAGENET
imagenet = IMAGENET

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}



/etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/krb5kdc.schema
include /etc/openldap/schema/openldap.schema

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
logfile /var/log/ldap/slapd.log
loglevel -1

TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/servercrt.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSVerifyClient never

authz-policy from
authz-regexp
uid=(.*),cn=imagenet,cn=gssapi,cn=auth
uid=$1,ou=people,dc=imagenet
sasl-realm IMAGENET
sasl-host imagehost.imagenet

access to dn.base="" by * read
access to *
by dn="uid=ldapadmin,ou=people,dc=imagenet" write
by users read
by anonymous auth

database bdb
suffix "dc=imagenet"
directory /var/lib/ldap

index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub


/var/log/krb5kdc.log (snippet)
Jun 23 13:41:23 imagehost krb5kdc[21071](info): TGS_REQ (4 etypes {18 17 16 23}) 10.1.1.98: PROCESS_TGS: authtime 0, <unknown client> for host/imagehost.imagenet@IMAGENET, Ticket expired
Jun 23 13:41:23 imagehost krb5kdc[21071](info): TGS_REQ (4 etypes {18 17 16 23}) 10.1.1.98: PROCESS_TGS: authtime 0, <unknown client> for host/imagehost.imagenet@IMAGENET, Ticket expired
Jun 23 13:41:23 imagehost krb5kdc[21071](info): TGS_REQ (4 etypes {18 17 16 23}) 10.1.1.98: PROCESS_TGS: authtime 0, <unknown client> for host/imagehost.imagenet@IMAGENET, Ticket expired
Jun 23 13:41:31 imagehost krb5kdc[21071](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 127.0.0.1: ISSUE: authtime 1308861691, etypes {rep=16 tkt=16 ses=16}, root@IMAGENET for krbtgt/IMAGENET@IMAGENET



And from the client,
/var/log/secure (snippet)
Jun 23 13:41:01 vt1 pam: gdm-password[4605]: pam_unix(gdm-password:auth): check pass; user unknown
Jun 23 13:41:01 vt1 pam: gdm-password[4605]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Jun 23 13:41:01 vt1 pam: gdm-password[4605]: gkr-pam: error looking up user information


The entries in the Authentication GUI on the client (system-config-authentication)
User Account Database: LDAP
LDAP Search Base DN: dc=imagenet
LDAP Server: ldaps://imagehost.imagenet/
Use TLS to encrypt connections is UNCHECKED

Authentication Method: Kerberos password
Realm: IMAGENET
KDCs: imagehost.imagenet
Admin Servers: imagehost.imagenet
Use DNS to resolve hosts to realms is UNCHECKED
Use DNS to locate KDCs for realms is UNCHECKED
 
Old 06-25-2011, 03:54 AM   #2
kasl33
Member
 
Registered: Oct 2004
Location: Bremerton, WA
Distribution: Arch, Debian, Ubuntu, Ubuntu-Server, CentOS, OSX Lion
Posts: 352

Rep: Reputation: 47
I'm probably wrong, but I just completed an Active Directory course and, although a lot of it is still a bit foggy, it seems like DNS Lookup Realm should be set to yes.

Also, are you joined to the domain on the Fefora box (fedora.imagenet) and trying to login as user@fedora.imagenet ?

I don't know your level of expertise but I hope this helps even a litle.
 
Old 06-25-2011, 03:56 AM   #3
kasl33
Member
 
Registered: Oct 2004
Location: Bremerton, WA
Distribution: Arch, Debian, Ubuntu, Ubuntu-Server, CentOS, OSX Lion
Posts: 352

Rep: Reputation: 47
also, can u ping the server? Is the firewall blocking anything?
 
Old 06-27-2011, 11:09 AM   #4
erick.brown
LQ Newbie
 
Registered: Mar 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Answering each:

I can try DNS/Realm lookup again. I tried it before, but I may have fixed something else since then.

I've tried various forms of the user name, but not the one that you suggested. Using kinit from the command line, it seems to take an implied "@IMAGENET" suffix, so I assumed that would be the case with the desktop login as well. I will try the username permutation that you suggested.

Connectivity between the two systems is good; ping, ssh, DHCP, DNS, and even Kerberos and LDAP work. The problem is that they don't seem to work for desktop login. Once I log in to a local accout on the Fedora box, I can use kinit user from a terminal window, and it works perfectly. Likewise, I can use ldapsearch from the terminal, and it works fine too (although with a 2 or so second pause, which I'm still trying to figure out)

But when I try to use Kerberos credentials to log into the desktop (you know the screen that is presented when the computer boots? It shows a face browser. I believe it's part of GDM) it doesn't work, giving me a vauge 'authentication failure' message.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Authentication Failure in LDAP after the Modification of ldap to ldaps url vijith.pa@gmail.com Linux - Newbie 3 06-03-2011 05:30 AM
Linux LDAP vs. Kerberos Authentication with Microsoft ActiveDirectory geek.ksa Linux - Security 4 11-22-2009 04:29 PM
Kerberos, LDAP, THEN Local authentication? cckid Linux - Server 2 10-20-2009 01:41 PM
HOW TO: SUSE Linux Enterprise Desktop SLED10 LDAP / Kerberos Authentication to Active Directory / Windows Server 2003 R2 Shannon_VanWagner LinuxAnswers Discussion 2 06-13-2007 09:29 AM
HOW TO: SUSE Linux Enterprise Desktop SLED10 LDAP / Kerberos Authentication to Active Directory / Windows Server 2003 R2 Shannon_VanWagner LinuxAnswers Discussion 0 03-23-2007 02:22 PM


All times are GMT -5. The time now is 10:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration