Subject: | |
From: | |
Reply To: | |
Date: | Fri, 22 Apr 2005 11:48:27 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Ryan Enge wrote:
> Troy Dawson wrote:
>
>> Ryan Enge wrote:
>>
>>> Hi All,
>>>
>>> I am wondering if anyone has had the same issue I am currently having
>>> with Kerberos and pre-authentication. When I have preauth enabled for
>>> a user in Kerberos I cannot "su" to that user when I am logged in as
>>> root. Instead I get an error:
>>>
>>> "su: incorrect password"
>>>
>>> And I don't even get a chance to supply a password! (well I shouldn't
>>> have to I'm root), Also the KDC shows this in the error log:
>>>
>>> "preauth (timestamp) verify failure: No matching key in entry
>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) $IP(88): PREAUTH_FAILED:
>>> $user@$host
>>> for krbtgt/$host@$host, Preauthentication failed"
>>>
>>> If I remove the preauth requirement in the users policy the "su"
>>> works fine. Also Kerberos users are able to login to the machine via
>>> ssh and locally without any problems when preauth is enabled, so it
>>> is specific to "su" when I am root.
>>>
>>> One thing I noticed was that when using SL 3.0.x the "su - $user"
>>> does not talk to the KDC at all (or at least the KDC does not log
>>> it). I also noticed that /etc/pam.d/su are different in the 2
>>> versions and I have tried making them the same with no effect. I have
>>> also tried disabling SELinux and still the same.
>>>
>>> BTW, "su - $user" as root works fine on all my SL 3.0.x and RHEL 3
>>> boxes.
>>>
>>> Any thoughts/help would be appreciated.
>>>
>>> Regards,
>>>
>> Hi Ryan,
>> How are you changing whether to pre-authenticate or not? In your
>> /etc/krb5.conf? And if so, which sections?
>>
>> Do you have AFS installed?
>> I have had problems doing kerberos authentication when AFS was
>> installed, and I'm just wondering if it's related.
>>
>> Have you tried turning debug on, for both SL 3.0.x and SL 4.x to see
>> what the difference is there? I'm finding that it really spits alot
>> of information out.
>>
>> Troy
>
>
>
> Hi Troy,
>
> I was changing the pre-authentication in the principals Attributes, i.e.
> kadmin modprinc +requires_preauth $principal.
>
> AFS was not installed on this machine, so I don't think it is related.
>
> I set "debug = true" in the [appdefaults] section of the krb5.conf on
> the client, is there somewhere else I can add debug info? It doesn't
> seem to log anything in messages or secure when I try "su - $user" as root.
>
> Thanks for the help,
>
> Ryan
Yes, you need to add
# Save debug messes to debug.log
*.debug /var/log/debug.log
to /etc/syslog.conf and restart syslog. (/etc/init.d/syslog restart)
Actually you can have it go to any file you want, but you might want to
not have it in messages, because it really spits out alot.
Troy
--
__________________________________________________
Troy Dawson [log in to unmask] (630)840-6468
Fermilab ComputingDivision/CSS CSI Group
__________________________________________________
|
|
|