hi you are missing a .k5login profile on your linux box, in the home directory for the user you want to log in as.
you may try creating a .k5login file with an entry of your principal name ([EMAIL PROTECTED]) with which you got your initial TGT. try this. it should work suresh -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 15 March 2002 21:33 To: [EMAIL PROTECTED] Subject: Tickets accepted upon login but still prompted for password I have a Red Hat Linux 7.1 box setup to use Kerberos authentication for telnet access. The KDC is a Windows 2000 Server (SP2). I have successfully setup a service principal for the Linux box in the 2000 domain and I have transferred the keytab to the Linux box and imported it into /etc/krb5.keytab. A user can successfully obtain tickets from the KDC while logging in, but when I try to test an automatic telnet login the user's tickets are accepted but the user is still prompted for a password. I would prefer the users not to be prompted once they obtain their Kerberos tickets. Am I missing something so obvious it's stupid? :) I have krb5-telnet activated in xinetd and have specified it to use login.krb5. I also have the default PAM config files for RH7.1. I have tried using authconfig to include Kerberos authentication, but that did not make a difference. Below are relevant configuration files and sample outputs from a telnet session. Any help would be greatly appreciated. Let me know if you need any more information. Please CC: my email address with any responses. Thank you in advance. Regards, Andrew Rechenberg Network Team, Sherman Financial Group arechenberg(at)shermanfinancialgroup.com *********************************************************** [root@rh71test ~]# telnet rh71test.shermfin.com Trying 10.1.1.55... Connected to rh71test.shermfin.com. Escape character is '^]'. rh71test.shermfin.com (Linux release 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001) (4) login: arechenberg Password for arechenberg: Last login: Fri Mar 15 10:38:46 from rh71test [arechenberg@rh71test ~]$ klist -fe Ticket cache: FILE:/tmp/krb5cc_p31503 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 03/15/02 10:49:24 03/15/02 20:49:24 [EMAIL PROTECTED] Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 03/15/02 10:49:24 03/15/02 10:54:24 [EMAIL PROTECTED] Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt601 klist: You have no tickets cached [arechenberg@rh71test ~]$ telnet -a rh71test.shermfin.com Trying 10.1.1.55... Connected to rh71test.shermfin.com (10.1.1.55). Escape character is '^]'. [ Kerberos V5 accepts you as ``[EMAIL PROTECTED]'' ] Password for arechenberg: ^^^^^^^^^^^^^^^^^^^^^^^^^ Tickets accepted, but still prompted for password. :\ [root@rh71test ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = SHERMFIN.COM dns_lookup_realm = false dns_lookup_kdc = false default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 forwardable = true proxiable = true [realms] SHERMFIN.COM = { kdc = mykdc.shermfin.com:88 default_domain = shermfin.com } [domain_realm] .shermfin.com = SHERMFIN.COM shermfin.com = SHERMFIN.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false [root@rh71test ~]# cat /etc/xinetd.d/krb5-telnet # default: off # description: The kerberized telnet server accepts normal telnet sessions, \ # but can also use Kerberos 5 authentication. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/kerberos/sbin/telnetd server_args = -a valid -L /bin/login.krb5 log_on_failure += USERID disable = no } [root@rh71test ~]# cat /etc/pam.d/login #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so [root@rh71test ~]# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos ********************************************************************* Disclaimer: The information in this e-mail and any attachments is confidential / privileged. It is intended solely for the addressee or addressees. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. ********************************************************************* ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
