Preauthentication fails with pam_krb5.so on debian
I can get this to work on a Fedora Core 3 box in less than a minute. I've been trying to do the same thing on debian for a week with no luck.
I want to use a kerberos password to login to linux. The KDC is Windows Server 2K3. the linux boxes are all using LDAP throuh active directory.
When i try to log in on a debian machine I get this error:
Mar 7 11:39:18 machine sshd[14948]: Illegal user test from ::ffff:127.0.0.1
Mar 7 11:39:20 machine sshd[14948]: (pam_unix) check pass; user unknown
Mar 7 11:39:20 machine sshd[14948]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain
Mar 7 11:39:20 machine sshd[14948]: pam_krb5: pam_sm_authenticate(ssh test): entry:
Mar 7 11:39:20 machine sshd[14948]: pam_krb5: pam_sm_authenticate(ssh test): krb5_get_init_creds_password(): Preauthentication failed
Mar 7 11:39:20 machine sshd[14948]: pam_krb5: pam_sm_authenticate(ssh test): exit: failure
Mar 7 11:39:22 machine sshd[14948]: error: PAM: Permission denied for illegal user test from localhost.localdomain
Mar 7 11:39:23 machine sshd[14948]: Failed keyboard-interactive/pam for illegal user test from ::ffff:127.0.0.1 port 33531 ssh2
Preauthentication Failed.... what does debian need to preauthenticate that Fedora doesn't?
The clocks are all in sync with ntp. I can kinit with the user fine.
I can ldap with the user and bind with the ldap bind account.
getent passwd and getent shadow work as they should.
#/etc/pam.d/common-auth
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_krb5.so try_first_pass debug
#/etc/pam.d/common-account
account sufficient pam_krb5.so
account sufficient pam_unix.so
#/etc/pam.d/common-session
session sufficient pam_krb5.so
session sufficient pam_unix.so
What am i doing wrong????
|