Hi All,

I am wondering if anyone has had the same issue I am currently having 
with Kerberos and pre-authentication. When I have preauth enabled for a 
user in Kerberos I cannot "su" to that user when I am logged in as root. 
Instead I get an error:

"su: incorrect password"

And I don't even get a chance to supply a password! (well I shouldn't 
have to I'm root), Also the KDC shows this in the error log:

"preauth (timestamp) verify failure: No matching key in entry
AS_REQ (7 etypes {18 17 16 23 1 3 2}) $IP(88): PREAUTH_FAILED: $user@$host
for krbtgt/$host@$host, Preauthentication failed"

If I remove the preauth requirement in the users policy the "su" works 
fine. Also Kerberos users are able to login to the machine via ssh and 
locally without any problems when preauth is enabled, so it is specific 
to "su" when I am root.

One thing I noticed was that when using SL 3.0.x the "su - $user" does 
not talk to the KDC at all (or at least the KDC does not log it). I also 
noticed that /etc/pam.d/su are different in the 2 versions and I have 
tried making them the same with no effect. I have also tried disabling 
SELinux and still the same.

BTW, "su - $user" as root works fine on all my SL 3.0.x and RHEL 3 boxes.

Any thoughts/help would be appreciated.

Regards,

-- 
Ryan Enge
System Admin
UVic Physics & Astronomy
[log in to unmask]