Skip to content


AD/KRB5 authentication issues (unexpected) with RedHat 7.2

For some unknown reason a few freshly added users could not login to a freshly built RedHat host. Too much fresh? The host has been COBBLER built and so what is going on?
This is what is recorded in /var/log/secure showing the failed login attempt:

Sep  8 13:57:56 bctpxypl1 sshd[2397]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fc4dd448d822.ptest.wmd.edu  user=wmduszyk
Sep  8 13:57:56 bctpxypl1 sshd[2397]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=fc4dd448d822.ptest.wmd.edu user=wmduszyk
Sep  8 13:57:56 bctpxypl1 sshd[2397]: pam_krb5[2397]: account checks fail for 'WMDUSZYK@WMD.EDU': user disallowed by .k5login file for 'wmduszyk'
Sep  8 13:57:56 bctpxypl1 sshd[2397]: Failed password for wmduszyk from 10.34.24.10 port 58191 ssh2
Sep  8 13:57:56 bctpxypl1 sshd[2397]: fatal: Access denied for user wmduszyk by PAM account configuration [preauth]
Sep  8 13:59:49 bctpxypl1 su: pam_unix(su-l:session): session closed for user wmduszyk

I am flabbergasted! The host has all the latest patches, and everybody else can login! After a short search on the web I add a paragraph to /etc/krb5.conf containing the ignore_k5login = true phrase and the login issues are gone!

Here is the file /etc/krb5.conf as it is now.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = WMD.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

[realms]
 WMD.EDU = {
  kdc = KERBEROS.WMD.EDU
  admin_server = KERBEROS.WMD.EDU
 }

[domain_realm]
 wmd.edu = WMD.EDU
 .wmd.edu = WMD.EDU

[appdefaults]
 pam = {
  debug = false
  WMD.EDU = {
   ignore_k5login = true
  }
 }

Posted in LINUX.


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

WordPress Anti Spam by WP-SpamShield



Copyright © 2016 - 2017 Waldemar Mark Duszyk. All Rights Reserved. Created by Blog Copyright.