Skip to content


AD/KRB5 authentication issues (unexpected) with RedHat 7.2

For some unknown reason a few freshly added users could not login to a freshly built RedHat host. Too much fresh? The host has been COBBLER built and so what is going on?
This is what is recorded in /var/log/secure showing the failed login attempt:

Sep  8 13:57:56 bctpxypl1 sshd[2397]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fc4dd448d822.ptest.wmd.edu  user=wmduszyk
Sep  8 13:57:56 bctpxypl1 sshd[2397]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=fc4dd448d822.ptest.wmd.edu user=wmduszyk
Sep  8 13:57:56 bctpxypl1 sshd[2397]: pam_krb5[2397]: account checks fail for 'WMDUSZYK@WMD.EDU': user disallowed by .k5login file for 'wmduszyk'
Sep  8 13:57:56 bctpxypl1 sshd[2397]: Failed password for wmduszyk from 10.34.24.10 port 58191 ssh2
Sep  8 13:57:56 bctpxypl1 sshd[2397]: fatal: Access denied for user wmduszyk by PAM account configuration [preauth]
Sep  8 13:59:49 bctpxypl1 su: pam_unix(su-l:session): session closed for user wmduszyk

I am flabbergasted! The host has all the latest patches, and everybody else can login! After a short search on the web I add a paragraph to /etc/krb5.conf containing the ignore_k5login = true phrase and the login issues are gone!

Here is the file /etc/krb5.conf as it is now.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = WMD.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

[realms]
 WMD.EDU = {
  kdc = KERBEROS.WMD.EDU
  admin_server = KERBEROS.WMD.EDU
 }

[domain_realm]
 wmd.edu = WMD.EDU
 .wmd.edu = WMD.EDU

[appdefaults]
 pam = {
  debug = false
  WMD.EDU = {
   ignore_k5login = true
  }
 }

Posted in LINUX.


One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Mitasha says

    Thanks this works !!! 😀



Some HTML is OK

or, reply to this post via trackback.

WordPress Anti Spam by WP-SpamShield



Copyright © 2016 - 2017 Waldemar Mark Duszyk. All Rights Reserved. Created by Blog Copyright.