On Wed, May 19 2010 at 01:18, Antoine Jacoutot wrote: > On Wed, 19 May 2010, Claer wrote: > > _claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh > > claer:*:1000:1000:Claer:/home/claer:/bin/ksh > > > > Now the next step is to try an authentification with ssh. That's why > > /etc/login.conf has been modified regarding auth entry : > > > > auth-defaults:auth=krb5-or-pwd,passwd: > > > > But, when I try to ssh in with -l claer, sshd doesn't seem to find > > the "claer" passwd entry and I have this line on the kerberos server : > > > > May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 > > 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for > > krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos > > database > > > > Any hint ? > > Did you add your host principal to /etc/kerberosV/krb5.keytab?
Yep. If the "claer" local account is enabled, it's working fine with Kerberos auth. I can confirm this by watching log files and I even tried to alter the hashed passwd with vipw to be sure I was not using the local password. ypldap + ypbind are working fine : # tail -n 2 /etc/passwd _claer:*:1000:1000:Claer:/home/claer:/bin/ksh +:*:0:0:::/bin/ksh # getent passwd | tail -n 4 _claer:$2a$06$SgIzOv47AbodJPX7jzgAoOioV322Dk5Cha9VCyqgU/b6/YUDU4TM6:1000:1000:Claer:/home/claer:/bin/ksh claer:*:1000:1000:Claer:/home/claer:/bin/ksh megami:*:1001:1001:Megami:/home/megami:/bin/ksh nobody:*:65534:65534:nobody:/nonexistent:/bin/ksh I started a test ssh server on port 2222 to check. Here are the interesting debug logs : debug1: userauth-request for user claer service ssh-connection method none debug1: attempt 0 failures 0 debug1: unable to get login class: claer input_userauth_request: invalid user claer Failed none for invalid user claer from 172.16.1.100 port 52325 ssh2 debug1: userauth-request for user claer service ssh-connection method publickey debug1: attempt 1 failures 0 debug1: userauth-request for user claer service ssh-connection method keyboard-interactive debug1: attempt 2 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=claer devs= debug1: kbdint_alloc: devices 'bsdauth' debug1: auth2_challenge_start: trying authentication method 'bsdauth' debug1: userauth-request for user claer service ssh-connection method password debug1: attempt 3 failures 2 debug1: temporarily_use_uid: 4294967295/4294967295 (e=0/0) debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 4294967295/4294967295 (e=0/0) debug1: restore_uid: 0/0 debug1: Kerberos password authentication failed: Client not found in Kerberos database debug1: krb5_cleanup_proc called Failed password for invalid user claer from 172.16.1.100 port 52325 ssh2 The logextact from authlog : May 19 20:44:24 socrate krb5-or-pwd: verify: Client not found in Kerberos database However, on the kerberos server side, no request have been made to the "claer" account : May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database Thanks for helping me so far! Claer