You are not logged in.
Pages: 1
Hello everyone,
I've followed this tutorial:
https://linuskarlsson.se/blog/acquiring … cal-login/
and after logout and login again or rebooting my system I can not see my krb5 credential with klist. (which is the desired result after login with my account)
I even tried before finding this tutorial to modify system-auth (by adding lines with the "sufficient" attribute before pam_unix and after it) without further success.
I have followed exactly what is described on the link above:
install pam-krb5 with pacman -Sy pam-krb5
modifying the system-local-login by adding the three lines, which give me an /etc/pam.d/system-local-login like this one:
auth include system-login
auth optional pam_krb5.so minimum_uid=1000 use_first_pass
account include system-login
account optional pam_krb5.so
password include system-login
session include system-login
session optional pam_krb5.so
I also verified that my uid was 1000 and even removed the minimum_uid option and it still does not work.
I do not know what I am missing.
If anyone can help me integrate kerberos authentication with PAM I will be thankfull.
Last edited by Hellios (2023-02-02 19:26:20)
Offline
install pam-krb5 with pacman -Sy pam-krb5
NEVER do that to install a package. Always use either -S <package> or (better) -Syu <package>. -Sy is the road to hell because it performs a Partial Upgrade
I'm not an expert on this, but it sounds like you want to set up AD integration. The Arch Wiki page on that seems to be heavily edited recently, so I recommend checking out the current documentation that's on the Wiki, since things may have changed recently: https://wiki.archlinux.org/title/Active … ntegration.
Offline
Hellios wrote:install pam-krb5 with pacman -Sy pam-krb5
NEVER do that to install a package. Always use either -S <package> or (better) -Syu <package>. -Sy is the road to hell because it performs a Partial Upgrade
thanks, it's a bit strange that you can perform -Sy without -u option but I understand the idea behind this. I did sudo pacman -Syu pam-krb5 and reboot but it did not solve my problem. I will remember to do -Syu and not -Sy next time
I'm not an expert on this, but it sounds like you want to set up AD integration. The Arch Wiki page on that seems to be heavily edited recently, so I recommend checking out the current documentation that's on the Wiki, since things may have changed recently: https://wiki.archlinux.org/title/Active … ntegration.
that is not what I am attempting. I will explain in detail what I'm trying to do:
I have a kerberos realm configured and I just want my client to be able to take a ticket granting ticket from the server on login, I'm more or less in the same situation as described in the tutorial I have posted. I do not want to connect to an Active Directory service or a samba service.
EDIT: after verifying the journal with the command:
sudo journalctl SYSLOG_FACILITY=10
I have found this error message:
pam_krb5(gdm-password:auth): (user hellios) credential verification failed: Cannot find key for host/server.example.com@EXAMPLE.NET kvno 5 in keytab
which is strange because the key it is searching is the host key of the server and should not be in my client keytab.
Last edited by Hellios (2023-01-31 16:32:33)
Offline
I added a new host key on the server (I think that what solved the first error)
then I found another error
credential verification failed: Cannot decrypt ticket for host/client.example.com@EXAMPLE.COM using keytab key for host/client.EXAMPLE.COM@EXAMPLE.COM
And then I finally solved this last problem.
I had old keys in my krb5.keytab file on my client machine. removing the keytab file and adding new keys with kadmin solved the issues.
Thanks to twelveeighty again for the tip about never doing a partial update, it was not solving my issue but was a very instructive tip.
Last edited by Hellios (2023-02-01 15:25:24)
Offline
Pages: 1