Sensei schreef: > On 2006-03-30 01:21:04 +0200, Quinten <[EMAIL PROTECTED]> said: > >> Our environment is currently using 2 AD/realms. I am trying to set >> up a RHEL3 host to authenticate users from both realms. If the >> default_realm in /etc/krb5.conf is set to one realm, the users in the >> other realm cannot authenticate and vice versa. So there is no issue >> on any settings, they just seem unable to coexist. > > Naive question... can you kinit the NOT_DEFAULT_REALM?
No, but if I make the other realm default I can. All users from realm, say AD1, can authenticate if AD1 is default in krb5.conf. All users from realm, say AD2, can authenticate if AD2 is default in krb5.conf. > >> The pam_krb5.so module in /etc/pam.d/system-auth is set to >> "sufficient". I have tried to add another entry: >> >> account sufficient /lib/security/$ISA/pam_krb5.so.0 >> account sufficient /lib/security/$ISA/pam_krb5.so.0\ >> realm=not.my.default > > Is that a backslash? No, typo in posting, not in the file > >> There is a similar setup we have on Solaris hosts that does actually >> work. > > Similar? How? What is the difference? On the Solaris host, a workaround has been established by copying and renaming the pam_krb5 module and add this module entry in the pam.conf with the option realm=ad2.domain.com. If the first entry fails (default realm) pam continues with the second, renamed entry with the option that overrides the default realm. > >> I am not quite sure whether this is a PAM or a pam_krb5 issue. Does >> anyone have any suggestions or ideas how to solve this? > > Post more informations, pam settings, krb5.conf on both sides, ... The settings below, /etc/krb5.conf, /etc/pam.d/system-auth allow users from AD1 because it's the default realm in krb5.conf. Users from the AD2 are not authenticated: verbose debug shows that uid and gid are actually found (NIS) but are not found in the kerberos database. system-auth =========== auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass auth sufficient /usr/local/lib/security/pam_krb5.so realm=AD2.DOMAIN.COM use_first_pass account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_krb5.so debug account sufficient /usr/local/lib/security/pam_krb5.so realm=AD2.DOMAIN.COM password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow nis password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password sufficient /usr/local/lib/security/pam_krb5.so realm=AD2.DOMAIN.COM use_authtok session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session sufficient /lib/security/$ISA/pam_krb5.so debug session sufficient /usr/local/lib/security/pam_krb5.so realm=AD2.DOMAIN.COM krb5.conf ========= [libdefaults] default_realm = AD1.DOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true [realms] AD1.DOMAIN.COM = { kdc = dc001.ad1.domain.com:88 kdc = dc003.ad1.domain.com:88 admin_server = dc001.ad1.domain.com:749 kpasswd_protocol = SET_CHANGE } AD2.DOMAIN.COM = { kdc = dc001.ad2.domain.com:88 kdc = dc002.ad2.domain.com:88 admin_server = dc001.ad2.domain.com:749 kpasswd_protocol = SET_CHANGE } [domain_realm] .ad1.domain.com = AD1.DOMAIN.COM ad1.domain.com = AD1.DOMAIN.COM .ad2.domain.com = AD2.DOMAIN.COM ad2.domain.com = AD2.DOMAIN.COM [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } kinit = { renewable = true forwardable = true } login = { krb5_get_tickets = true } messages ======== Mar 28 14:02:28 lsftest001 sshd(pam_unix)[6488]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vaughan user= user1 Mar 28 14:02:28 lsftest001 sshd[6488]: pam_krb5: authenticate error: Client not found in Kerberos database (-1765328378) Mar 28 14:02:28 lsftest001 sshd[6488]: pam_krb5: authentication fails for `user1' And more verbose: Apr 4 12:59:22 lsftest001 sshd(pam_unix)[8484]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vaughan user=user2 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_config() called Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: Creating a ticket with addresses Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: krb4_convert false Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: password-changing banner set to `Kerberos 5' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: ccache directory set to `/tmp' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets forwardable Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting initial timeout to 1 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: keytab file name set to `/etc/krb5.keytab' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting maximum timeout to 30 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: will only attempt to authenticate users when UID >= 0 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets proxiable Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting renewable lifetime to 36000 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: required_tgs set to `host/lsftest001' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting ticket lifetime to 36000 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting timeout shift to 2 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: use_authtok false Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user_check true Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: validate false Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn true Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn_period 604800 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_sm_authenticate() called (prc = Success) Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: default Kerberos realm is `AD1.DOMAIN.COM' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_get_user returned `user2' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user is `user2' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: `user2' has uid 35637, gid 40 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: attempting to authenticate `user2' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_int_tkt returned Client not found in Kerberos database Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authenticate error: Client not found in Kerberos database (-1765328378) Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authentication fails for `user2' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_sm_authenticate returning 10 (User not known to the underlying authentication module) Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_config() called Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: Creating a ticket with addresses Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: krb4_convert false Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: password-changing banner set to `Kerberos 5' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: ccache directory set to `/tmp' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets forwardable Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting initial timeout to 1 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: keytab file name set to `/etc/krb5.keytab' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting maximum timeout to 30 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: will only attempt to authenticate users when UID >= 0 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets proxiable Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting renewable lifetime to 36000 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: required_tgs set to `host/lsftest001' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting ticket lifetime to 36000 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting timeout shift to 2 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: use_authtok false Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user_check true Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: validate false Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn true Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn_period 604800 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_sm_authenticate() called (prc = Success) Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: default Kerberos realm is `AD2.DOMAIN.COM' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_get_user returned `user2' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user is `user2' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: `user2' has uid 35637, gid 40 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: attempting to authenticate `user2' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_int_tkt returned Client not found in Kerberos database Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authenticate error: Client not found in Kerberos database (-1765328378) Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authentication fails for `user2' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: making tickets proxiable Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting renewable lifetime to 36000 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: required_tgs set to `host/lsftest001' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting ticket lifetime to 36000 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: setting timeout shift to 2 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: use_authtok false Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user_check true Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: validate false Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn true Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: warn_period 604800 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_sm_authenticate() called (prc = Success) Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: default Kerberos realm is `AD2.DOMAIN.COM' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: pam_get_user returned `user2' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: user is `user2' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: `user2' has uid 35637, gid 40 Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: attempting to authenticate `user2' Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: get_int_tkt returned Client not found in Kerberos database Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authenticate error: Client not found in Kerberos database (-1765328378) Apr 4 12:59:22 lsftest001 sshd[8484]: pam_krb5: authentication fails for `user2' thanks, Quinten ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos