Ryan Enge wrote:
> Hi All,
> 
> I am wondering if anyone has had the same issue I am currently having 
> with Kerberos and pre-authentication. When I have preauth enabled for a 
> user in Kerberos I cannot "su" to that user when I am logged in as root. 
> Instead I get an error:
> 
> "su: incorrect password"
> 
> And I don't even get a chance to supply a password! (well I shouldn't 
> have to I'm root), Also the KDC shows this in the error log:
> 
> "preauth (timestamp) verify failure: No matching key in entry
> AS_REQ (7 etypes {18 17 16 23 1 3 2}) $IP(88): PREAUTH_FAILED: $user@$host
> for krbtgt/$host@$host, Preauthentication failed"
> 
> If I remove the preauth requirement in the users policy the "su" works 
> fine. Also Kerberos users are able to login to the machine via ssh and 
> locally without any problems when preauth is enabled, so it is specific 
> to "su" when I am root.
> 
> One thing I noticed was that when using SL 3.0.x the "su - $user" does 
> not talk to the KDC at all (or at least the KDC does not log it). I also 
> noticed that /etc/pam.d/su are different in the 2 versions and I have 
> tried making them the same with no effect. I have also tried disabling 
> SELinux and still the same.
> 
> BTW, "su - $user" as root works fine on all my SL 3.0.x and RHEL 3 boxes.
> 
> Any thoughts/help would be appreciated.
> 
> Regards,
> 
Hi Ryan,
How are you changing whether to pre-authenticate or not?  In your 
/etc/krb5.conf?  And if so, which sections?

Do you have AFS installed?
I have had problems doing kerberos authentication when AFS was 
installed, and I'm just wondering if it's related.

Have you tried turning debug on, for both SL 3.0.x and SL 4.x to see 
what the difference is there?  I'm finding that it really spits alot of 
information out.

Troy
-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/CSS  CSI Group
__________________________________________________