Apologies for not getting back to you sooner;
I had to spend a couple of days in hospital.
But you said that's in /etc/krb5.conf, so that can't be the problem.
pam-krb5 just makes the same library calls as kinit and kvno, so if they
work and see that setting, so will pam-krb5. Unless maybe you have
multiple krb5.conf files in different locations and are setting
KRB5_CONFIG or something? That seems unlikely.
Yes. There exist one plain /etc/krb5.conf file.
Do you have any domain_realm settings? If the Kerberos libraries aren't
figuring out which realm the local host is in, that could definitely
explain the problem that you're seeing.
I do. I can even nail down my host to his realm via an explicite host entry in
domain_realm stanza - no effect.
I have attached my krb5.conf
The error message is consistent
with the Kerberos libraries getting a service ticket for a different host
principal than the one that's in the keytab, either because they disagree
with the keytab about what the local host name is or because they are
getting a service ticket for a host principal in the wrong realm.
I even find the correct service principal in my cred cache after a failed login
attempt:
$ kinit
Password for salzmann@<AD realm>:
$ klist
Ticket cache: FILE:/tmp/krb5cc_12345_K19908
Default principal: salzmann@<AD realm>
Valid starting Expires Service principal
01/25/11 17:36:03 01/26/11 03:36:09 krbtgt/<AD realm>@<AD realm>
renew until 01/26/11 17:36:03
$ ssh adtest
Password:
Password:
^C
$ klist
Ticket cache: FILE:/tmp/krb5cc_11752_K19908
Default principal: salzmann@<AD realm>
Valid starting Expires Service principal
01/25/11 17:36:03 01/26/11 03:36:09 krbtgt/<AD realm>@<AD realm>
renew until 01/26/11 17:36:03
01/25/11 17:36:19 01/26/11 03:36:09 krbtgt/<UX realm>@<AD realm>
renew until 01/26/11 17:36:03
01/25/11 17:36:19 01/26/11 03:36:09 host/<principal>@<UX realm>
renew until 01/26/11 17:36:03
[libdefaults]
default_realm = <AD realm>
allow_weak_crypto = true
[realms]
<AD realm> = {
kdc = windc1.<DOMAIN>
kdc = windc2.<DOMAIN>
admin_server = windc1.<DOMAIN>
}
<UX realm> = {
kdc = kdc1.<SUB1>.<DOMAIN>
kdc = kdc2.<SUB1>.<DOMAIN>
kdc = kdc3.<SUB1>.<DOMAIN>
admin_server = admin_kdc.<SUB1>.<DOMAIN>
}
<AD sub realm> = {
kdc = dc1.<SUB1>.<DOMAIN>
kdc = dc2.<SUB1>.<DOMAIN>
admin_server = dc1.<SUB1>.<DOMAIN>
}
[domain_realm]
# ensure that DCs are in correct realm
kdc1.<SUB1>.<DOMAIN> = <UX realm>
kdc2.<SUB1>.<DOMAIN> = <UX realm>
kdc3.<SUB1>.<DOMAIN> = <UX realm>
dc1.<SUB1>.<DOMAIN> = <AD sub realm>
dc2.<SUB1>.<DOMAIN> = <AD sub realm>
windc1.<DOMAIN> = <AD realm>
windc2.<DOMAIN> = <AD realm>
.<SUB1>.<DOMAIN> = <UX realm>
<SUB1>.<DOMAIN> = <UX realm>
.<DOMAIN> = <AD realm>
<DOMAIN> = <AD realm>
[capaths]
<UX realm> = {
<AD realm> = .
<AD sub realm> = .
}
<AD sub realm> = {
<UX realm> = .
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
# eof
