Ryan Enge wrote: > Troy Dawson wrote: > >> Ryan Enge wrote: >> >>> Hi All, >>> >>> I am wondering if anyone has had the same issue I am currently having >>> with Kerberos and pre-authentication. When I have preauth enabled for >>> a user in Kerberos I cannot "su" to that user when I am logged in as >>> root. Instead I get an error: >>> >>> "su: incorrect password" >>> >>> And I don't even get a chance to supply a password! (well I shouldn't >>> have to I'm root), Also the KDC shows this in the error log: >>> >>> "preauth (timestamp) verify failure: No matching key in entry >>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) $IP(88): PREAUTH_FAILED: >>> $user@$host >>> for krbtgt/$host@$host, Preauthentication failed" >>> >>> If I remove the preauth requirement in the users policy the "su" >>> works fine. Also Kerberos users are able to login to the machine via >>> ssh and locally without any problems when preauth is enabled, so it >>> is specific to "su" when I am root. >>> >>> One thing I noticed was that when using SL 3.0.x the "su - $user" >>> does not talk to the KDC at all (or at least the KDC does not log >>> it). I also noticed that /etc/pam.d/su are different in the 2 >>> versions and I have tried making them the same with no effect. I have >>> also tried disabling SELinux and still the same. >>> >>> BTW, "su - $user" as root works fine on all my SL 3.0.x and RHEL 3 >>> boxes. >>> >>> Any thoughts/help would be appreciated. >>> >>> Regards, >>> >> Hi Ryan, >> How are you changing whether to pre-authenticate or not? In your >> /etc/krb5.conf? And if so, which sections? >> >> Do you have AFS installed? >> I have had problems doing kerberos authentication when AFS was >> installed, and I'm just wondering if it's related. >> >> Have you tried turning debug on, for both SL 3.0.x and SL 4.x to see >> what the difference is there? I'm finding that it really spits alot >> of information out. >> >> Troy > > > > Hi Troy, > > I was changing the pre-authentication in the principals Attributes, i.e. > kadmin modprinc +requires_preauth $principal. > > AFS was not installed on this machine, so I don't think it is related. > > I set "debug = true" in the [appdefaults] section of the krb5.conf on > the client, is there somewhere else I can add debug info? It doesn't > seem to log anything in messages or secure when I try "su - $user" as root. > > Thanks for the help, > > Ryan Yes, you need to add # Save debug messes to debug.log *.debug /var/log/debug.log to /etc/syslog.conf and restart syslog. (/etc/init.d/syslog restart) Actually you can have it go to any file you want, but you might want to not have it in messages, because it really spits out alot. Troy -- __________________________________________________ Troy Dawson [log in to unmask] (630)840-6468 Fermilab ComputingDivision/CSS CSI Group __________________________________________________