Subject: | |
From: | |
Reply To: | |
Date: | Fri, 22 Apr 2005 09:33:47 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Troy Dawson wrote:
> Ryan Enge wrote:
>
>> Hi All,
>>
>> I am wondering if anyone has had the same issue I am currently having
>> with Kerberos and pre-authentication. When I have preauth enabled for
>> a user in Kerberos I cannot "su" to that user when I am logged in as
>> root. Instead I get an error:
>>
>> "su: incorrect password"
>>
>> And I don't even get a chance to supply a password! (well I shouldn't
>> have to I'm root), Also the KDC shows this in the error log:
>>
>> "preauth (timestamp) verify failure: No matching key in entry
>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) $IP(88): PREAUTH_FAILED:
>> $user@$host
>> for krbtgt/$host@$host, Preauthentication failed"
>>
>> If I remove the preauth requirement in the users policy the "su"
>> works fine. Also Kerberos users are able to login to the machine via
>> ssh and locally without any problems when preauth is enabled, so it
>> is specific to "su" when I am root.
>>
>> One thing I noticed was that when using SL 3.0.x the "su - $user"
>> does not talk to the KDC at all (or at least the KDC does not log
>> it). I also noticed that /etc/pam.d/su are different in the 2
>> versions and I have tried making them the same with no effect. I have
>> also tried disabling SELinux and still the same.
>>
>> BTW, "su - $user" as root works fine on all my SL 3.0.x and RHEL 3
>> boxes.
>>
>> Any thoughts/help would be appreciated.
>>
>> Regards,
>>
> Hi Ryan,
> How are you changing whether to pre-authenticate or not? In your
> /etc/krb5.conf? And if so, which sections?
>
> Do you have AFS installed?
> I have had problems doing kerberos authentication when AFS was
> installed, and I'm just wondering if it's related.
>
> Have you tried turning debug on, for both SL 3.0.x and SL 4.x to see
> what the difference is there? I'm finding that it really spits alot
> of information out.
>
> Troy
Hi Troy,
I was changing the pre-authentication in the principals Attributes, i.e.
kadmin modprinc +requires_preauth $principal.
AFS was not installed on this machine, so I don't think it is related.
I set "debug = true" in the [appdefaults] section of the krb5.conf on
the client, is there somewhere else I can add debug info? It doesn't
seem to log anything in messages or secure when I try "su - $user" as root.
Thanks for the help,
Ryan
|
|
|