Я не могу войти в Kerberos.
Я rsyslog для записи *.debug в /var/log/debug , вывод которого приведен ниже.
Если я пытаюсь войти в систему с помощью ssh , я получаю:
Jun 6 23:13:05 foo-machine sshd[13965]: Invalid user roy from 204.28.116.34
Jun 6 23:13:05 foo-machine sshd[13965]: input_userauth_request: invalid user roy [preauth]
Jun 6 23:13:06 foo-machine sshd[13965]: pam_krb5(sshd:auth): pam_sm_authenticate: entry (nonull)
Jun 6 23:13:06 foo-machine sshd[13965]: pam_krb5(sshd:auth): (user roy) attempting authentication as roy@EXAMPLE.COM
Jun 6 23:13:06 foo-machine sshd[13965]: pam_krb5(sshd:auth): (user roy) krb5_get_init_creds_password: Decrypt integrity check failed
Jun 6 23:13:06 foo-machine sshd[13965]: pam_krb5(sshd:auth): authentication failure; logname=roy uid=0 euid=0 tty=ssh ruser= rhost=204.28.116.34
Jun 6 23:13:06 foo-machine sshd[13965]: pam_krb5(sshd:auth): pam_sm_authenticate: exit (failure)
Jun 6 23:13:06 foo-machine sshd[13965]: pam_unix(sshd:auth): check pass; user unknown
Jun 6 23:13:06 foo-machine sshd[13965]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.28.116.34
Jun 6 23:13:06 foo-machine sshd[13965]: Libgcrypt warning: missing initialization - please fix the application
Jun 6 23:13:07 foo-machine sshd[13965]: Failed password for invalid user roy from 204.28.116.34 port 30760 ssh2
(Обратите внимание, что мне хорошо известно, что "Ошибка проверки целостности" означает "неверный пароль". Пароль, который я указал , правильный.)
Если я пытаюсь войти с помощью login , я получаю:
Jun 6 22:55:58 foo-machine login[13003]: pam_krb5(login:auth): pam_sm_authenticate: entry
Jun 6 22:56:00 foo-machine login[13003]: pam_krb5(login:auth): (user roy) attempting authentication as roy@EXAMPLE.COM
Jun 6 22:56:00 foo-machine login[13003]: pam_krb5(login:auth): user roy authenticated as roy@EXAMPLE.COM
Jun 6 22:56:00 foo-machine login[13003]: pam_krb5(login:auth): (user roy) temporarily storing credentials in /tmp/krb5cc_pam_98AyqH
Jun 6 22:56:00 foo-machine login[13003]: pam_krb5(login:auth): pam_sm_authenticate: exit (success)
Jun 6 22:56:00 foo-machine login[13003]: Libgcrypt warning: missing initialization - please fix the application
Jun 6 22:56:00 foo-machine login[13003]: pam_krb5(login:account): pam_sm_acct_mgmt: entry
Jun 6 22:56:00 foo-machine login[13003]: pam_krb5(login:account): (user roy) retrieving principal from cache
Jun 6 22:56:00 foo-machine login[13003]: pam_krb5(login:account): pam_sm_acct_mgmt: exit (success)
Jun 6 22:56:00 foo-machine login[13003]: pam_mail(login:session): user unknown
Jun 6 22:56:00 foo-machine login[13003]: pam_umask(login:session): account for roy not found
Jun 6 22:56:00 foo-machine login[13003]: pam_krb5(login:session): (user roy) getpwnam failed for roy
Jun 6 22:56:00 foo-machine login[13003]: pam_unix(login:session): session opened for user roy by root(uid=0)
Jun 6 22:56:00 foo-machine login[13003]: User not known to the underlying authentication module
Если я пытаюсь пройти аутентификацию с помощью kinit , все идет хорошо:
# kinit -V roy@EXAMPLE.COM
Using default cache: /tmp/krb5cc_0
Using principal: roy@EXAMPLE.COM
Password for roy@EXAMPLE.COM:
Authenticated to Kerberos v5
#
/etc/pam.d/common-account:
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_krb5.so minimum_uid=1000 debug
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
Обратите внимание, что я сделал модификацию здесь; account ... pam_krb5 находился в "Дополнительном блоке", но, учитывая, что pam_deny настроен как requisite , мне не было ясно, как можно pam_krb5 . Таким образом, я переместил это.
Следующие два файла не тронуты мной:
/etc/pam.d/common-auth:
# here are the per-package modules (the "Primary" block)
auth [success=4 default=ignore] pam_krb5.so minimum_uid=1000 debug
auth [success=3 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass
auth [default=ignore] pam_ccreds.so minimum_uid=1000 action=update
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ccreds.so minimum_uid=1000 action=store
auth optional pam_cap.so
# end of pam-auth-update config
/etc/pam.d/common-session:
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session [success=1 default=ignore] pam_krb5.so minimum_uid=1000
session required pam_unix.so
session optional pam_systemd.so
# end of pam-auth-update config
Небольшое замечание: Apache DS - это мой сервер LDAP и KDC. (/etc/krb5.conf указывает на это.) (Поскольку OpenLDAP/"обычный" Kerberos оказался невозможным для настройки; Apache стал проще, но, увы, он все еще не работает.)
Почему я не могу войти?