Ryan Enge wrote:
> Troy Dawson wrote:
> 
>> Ryan Enge wrote:
>>
>>> Hi All,
>>>
>>> I am wondering if anyone has had the same issue I am currently having 
>>> with Kerberos and pre-authentication. When I have preauth enabled for 
>>> a user in Kerberos I cannot "su" to that user when I am logged in as 
>>> root. Instead I get an error:
>>>
>>> "su: incorrect password"
>>>
>>> And I don't even get a chance to supply a password! (well I shouldn't 
>>> have to I'm root), Also the KDC shows this in the error log:
>>>
>>> "preauth (timestamp) verify failure: No matching key in entry
>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) $IP(88): PREAUTH_FAILED: 
>>> $user@$host
>>> for krbtgt/$host@$host, Preauthentication failed"
>>>
>>> If I remove the preauth requirement in the users policy the "su" 
>>> works fine. Also Kerberos users are able to login to the machine via 
>>> ssh and locally without any problems when preauth is enabled, so it 
>>> is specific to "su" when I am root.
>>>
>>> One thing I noticed was that when using SL 3.0.x the "su - $user" 
>>> does not talk to the KDC at all (or at least the KDC does not log 
>>> it). I also noticed that /etc/pam.d/su are different in the 2 
>>> versions and I have tried making them the same with no effect. I have 
>>> also tried disabling SELinux and still the same.
>>>
>>> BTW, "su - $user" as root works fine on all my SL 3.0.x and RHEL 3 
>>> boxes.
>>>
>>> Any thoughts/help would be appreciated.
>>>
>>> Regards,
>>>
>> Hi Ryan,
>> How are you changing whether to pre-authenticate or not?  In your 
>> /etc/krb5.conf?  And if so, which sections?
>>
>> Do you have AFS installed?
>> I have had problems doing kerberos authentication when AFS was 
>> installed, and I'm just wondering if it's related.
>>
>> Have you tried turning debug on, for both SL 3.0.x and SL 4.x to see 
>> what the difference is there?  I'm finding that it really spits alot 
>> of information out.
>>
>> Troy
> 
> 
> 
> Hi Troy,
> 
> I was changing the pre-authentication in the principals Attributes, i.e. 
> kadmin modprinc +requires_preauth $principal.
> 
> AFS was not installed on this machine, so I don't think it is related.
> 
> I set "debug = true" in the [appdefaults] section of the krb5.conf on 
> the client, is there somewhere else I can add debug info? It doesn't 
> seem to log anything in messages or secure when I try "su - $user" as root.
> 
> Thanks for the help,
> 
> Ryan

Yes, you need to add

# Save debug messes to debug.log
*.debug                                           /var/log/debug.log

to /etc/syslog.conf and restart syslog.   (/etc/init.d/syslog restart)

Actually you can have it go to any file you want, but you might want to 
not have it in messages, because it really spits out alot.

Troy
-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/CSS  CSI Group
__________________________________________________