Subject: | |
From: | |
Reply To: | |
Date: | Thu, 21 Apr 2005 16:26:06 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Hi All,
I am wondering if anyone has had the same issue I am currently having
with Kerberos and pre-authentication. When I have preauth enabled for a
user in Kerberos I cannot "su" to that user when I am logged in as root.
Instead I get an error:
"su: incorrect password"
And I don't even get a chance to supply a password! (well I shouldn't
have to I'm root), Also the KDC shows this in the error log:
"preauth (timestamp) verify failure: No matching key in entry
AS_REQ (7 etypes {18 17 16 23 1 3 2}) $IP(88): PREAUTH_FAILED: $user@$host
for krbtgt/$host@$host, Preauthentication failed"
If I remove the preauth requirement in the users policy the "su" works
fine. Also Kerberos users are able to login to the machine via ssh and
locally without any problems when preauth is enabled, so it is specific
to "su" when I am root.
One thing I noticed was that when using SL 3.0.x the "su - $user" does
not talk to the KDC at all (or at least the KDC does not log it). I also
noticed that /etc/pam.d/su are different in the 2 versions and I have
tried making them the same with no effect. I have also tried disabling
SELinux and still the same.
BTW, "su - $user" as root works fine on all my SL 3.0.x and RHEL 3 boxes.
Any thoughts/help would be appreciated.
Regards,
--
Ryan Enge
System Admin
UVic Physics & Astronomy
[log in to unmask]
|
|
|