[OpenAFS] [semi-OT] Cannot determine realm for host

Tobias Pfeiffer BoteDesSchattens@web.de
Tue, 21 Jun 2005 18:34:08 +0200 

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigDE597411C101E165FB71D712
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit

Hi!

I feel sorry for posting this to the wrong list, but right now, neither
sf.net nor stacken.kth.se let me join any Kerberos-related lists, so...
I hope some of you are familiar with Kerberos, too.

I've got a problem with PAM and libpam_krb5 (libpam-heimdal in Debian).
The pam.d files are all (probably) set up right, because at my home
site, they work fine. Just in my newly setup Debian Sarge network, it
doesn't. There, it is a Heimdal KDC with Heimdal Clients. kinit works
very well and so does AFS, when I obtain tickets manually, just the PAM
module does not work.

If I add the 'debug' flag, I get messages in /var/log/auth.log like

Jun 21 17:29:20 files login[10766]: pam_krb5: pam_sm_authenticate(su
tpfeiffer): entry:
Jun 21 17:29:23 files login[10766]: pam_krb5: verify_krb_v5_tgt():
krb5_sname_to_principal(): Cannot determine realm for host
Jun 21 17:29:23 files login[10766]: pam_krb5: pam_sm_authenticate(su
tpfeiffer): exit: success

And then the login promt shows: "Login incorrect". Nevertheless, the
heimdal-kdc.log on the KDC shows that a ticket is requested for the
correct user.

If I try the MIT Kerberos PAM module (libpam-krb5 in Debian), I get a
different message:

Jun 21 17:29:20 files login[10766]: pam_krb5: pam_sm_authenticate(su
tpfeiffer): entry:
Jun 21 17:29:23 files login[10766]: pam_krb5: verify_krb_v5_tgt():
krb5_kt_read_service_key(): No such file or directory
Jun 21 17:29:23 files login[10766]: pam_krb5: pam_sm_authenticate(su
tpfeiffer): exit: success

At the login prompt, there is a "Authentication service cannot retrieve
authentication info." message now instead of "Login incorrect".

My question is: why doesn't the first module find the realm if kinit
works without problems?? Is there anything left I have to configure? The
krb5.conf file shows the correct FQDN of the server machines and there
are also domain -> realm mappings.

Thanks for your help!

Bye
Tobias

--
...and justice for all!


--------------enigDE597411C101E165FB71D712
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCuEGH0JWAx4q8rvURAueDAJ9PiBEP3C6KvRKIRncQaqUbDOzu2wCeKvIZ
WGlasabdmJ69jMI5IpZkXnY=
=Jelo
-----END PGP SIGNATURE-----

--------------enigDE597411C101E165FB71D712--