Troy Dawson wrote: > Ryan Enge wrote: > >> Hi All, >> >> I am wondering if anyone has had the same issue I am currently having >> with Kerberos and pre-authentication. When I have preauth enabled for >> a user in Kerberos I cannot "su" to that user when I am logged in as >> root. Instead I get an error: >> >> "su: incorrect password" >> >> And I don't even get a chance to supply a password! (well I shouldn't >> have to I'm root), Also the KDC shows this in the error log: >> >> "preauth (timestamp) verify failure: No matching key in entry >> AS_REQ (7 etypes {18 17 16 23 1 3 2}) $IP(88): PREAUTH_FAILED: >> $user@$host >> for krbtgt/$host@$host, Preauthentication failed" >> >> If I remove the preauth requirement in the users policy the "su" >> works fine. Also Kerberos users are able to login to the machine via >> ssh and locally without any problems when preauth is enabled, so it >> is specific to "su" when I am root. >> >> One thing I noticed was that when using SL 3.0.x the "su - $user" >> does not talk to the KDC at all (or at least the KDC does not log >> it). I also noticed that /etc/pam.d/su are different in the 2 >> versions and I have tried making them the same with no effect. I have >> also tried disabling SELinux and still the same. >> >> BTW, "su - $user" as root works fine on all my SL 3.0.x and RHEL 3 >> boxes. >> >> Any thoughts/help would be appreciated. >> >> Regards, >> > Hi Ryan, > How are you changing whether to pre-authenticate or not? In your > /etc/krb5.conf? And if so, which sections? > > Do you have AFS installed? > I have had problems doing kerberos authentication when AFS was > installed, and I'm just wondering if it's related. > > Have you tried turning debug on, for both SL 3.0.x and SL 4.x to see > what the difference is there? I'm finding that it really spits alot > of information out. > > Troy Hi Troy, I was changing the pre-authentication in the principals Attributes, i.e. kadmin modprinc +requires_preauth $principal. AFS was not installed on this machine, so I don't think it is related. I set "debug = true" in the [appdefaults] section of the krb5.conf on the client, is there somewhere else I can add debug info? It doesn't seem to log anything in messages or secure when I try "su - $user" as root. Thanks for the help, Ryan