I have a Red Hat Linux 7.1 box setup to use Kerberos authentication for telnet access. The KDC is a Windows 2000 Server (SP2). I have successfully setup a service principal for the Linux box in the 2000 domain and I have transferred the keytab to the Linux box and imported it into /etc/krb5.keytab.
A user can successfully obtain tickets from the KDC while logging in, but when I try to test an automatic telnet login the user's tickets are accepted but the user is still prompted for a password. I would prefer the users not to be prompted once they obtain their Kerberos tickets. Am I missing something so obvious it's stupid? :) I have krb5-telnet activated in xinetd and have specified it to use login.krb5. I also have the default PAM config files for RH7.1. I have tried using authconfig to include Kerberos authentication, but that did not make a difference. Below are relevant configuration files and sample outputs from a telnet session. Any help would be greatly appreciated. Let me know if you need any more information. Please CC: my email address with any responses. Thank you in advance. Regards, Andrew Rechenberg Network Team, Sherman Financial Group arechenberg(at)shermanfinancialgroup.com *********************************************************** [root@rh71test ~]# telnet rh71test.shermfin.com Trying 10.1.1.55... Connected to rh71test.shermfin.com. Escape character is '^]'. rh71test.shermfin.com (Linux release 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001) (4) login: arechenberg Password for arechenberg: Last login: Fri Mar 15 10:38:46 from rh71test [arechenberg@rh71test ~]$ klist -fe Ticket cache: FILE:/tmp/krb5cc_p31503 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 03/15/02 10:49:24 03/15/02 20:49:24 [EMAIL PROTECTED] Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 03/15/02 10:49:24 03/15/02 10:54:24 [EMAIL PROTECTED] Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt601 klist: You have no tickets cached [arechenberg@rh71test ~]$ telnet -a rh71test.shermfin.com Trying 10.1.1.55... Connected to rh71test.shermfin.com (10.1.1.55). Escape character is '^]'. [ Kerberos V5 accepts you as ``[EMAIL PROTECTED]'' ] Password for arechenberg: ^^^^^^^^^^^^^^^^^^^^^^^^^ Tickets accepted, but still prompted for password. :\ [root@rh71test ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = SHERMFIN.COM dns_lookup_realm = false dns_lookup_kdc = false default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 forwardable = true proxiable = true [realms] SHERMFIN.COM = { kdc = mykdc.shermfin.com:88 default_domain = shermfin.com } [domain_realm] .shermfin.com = SHERMFIN.COM shermfin.com = SHERMFIN.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false [root@rh71test ~]# cat /etc/xinetd.d/krb5-telnet # default: off # description: The kerberized telnet server accepts normal telnet sessions, \ # but can also use Kerberos 5 authentication. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/kerberos/sbin/telnetd server_args = -a valid -L /bin/login.krb5 log_on_failure += USERID disable = no } [root@rh71test ~]# cat /etc/pam.d/login #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so [root@rh71test ~]# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos