You are not logged in.

#1 2023-01-30 17:20:25

Hellios
Member
Registered: 2023-01-30
Posts: 3

[SOLVED] can't add pam-krb5 to PAM stack

Hello everyone,

I've followed this tutorial:

https://linuskarlsson.se/blog/acquiring … cal-login/

and after logout and login again or rebooting my system I can not see my krb5 credential with klist. (which is the desired result after login with my account)

I even tried before finding this tutorial to modify system-auth (by adding lines with the "sufficient" attribute before pam_unix and after it)  without further success.

I have followed exactly what is described on the link above:

install pam-krb5 with pacman -Sy pam-krb5

modifying the system-local-login by adding the three lines, which give me an /etc/pam.d/system-local-login like this one:

auth      include   system-login
auth      optional  pam_krb5.so    minimum_uid=1000 use_first_pass
account   include   system-login
account   optional  pam_krb5.so
password  include   system-login
session   include   system-login
session   optional  pam_krb5.so

I also verified that my uid was 1000 and even removed the minimum_uid option and it still does not work.

I do not know what I am missing.

If anyone can help me integrate kerberos authentication with PAM I will be thankfull.

Last edited by Hellios (2023-02-02 19:26:20)

Offline

#2 2023-01-30 20:38:02

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 1,096

Re: [SOLVED] can't add pam-krb5 to PAM stack

Hellios wrote:

install pam-krb5 with pacman -Sy pam-krb5

NEVER do that to install a package. Always use either -S <package> or (better) -Syu <package>. -Sy is the road to hell because it performs a Partial Upgrade

I'm not an expert on this, but it sounds like you want to set up AD integration. The Arch Wiki page on that seems to be heavily edited recently, so I recommend checking out the current documentation that's on the Wiki, since things may have changed recently: https://wiki.archlinux.org/title/Active … ntegration.

Offline

#3 2023-01-31 10:02:56

Hellios
Member
Registered: 2023-01-30
Posts: 3

Re: [SOLVED] can't add pam-krb5 to PAM stack

twelveeighty wrote:
Hellios wrote:

install pam-krb5 with pacman -Sy pam-krb5

NEVER do that to install a package. Always use either -S <package> or (better) -Syu <package>. -Sy is the road to hell because it performs a Partial Upgrade

thanks, it's a bit strange that you can perform -Sy without -u option but I understand the idea behind this.  I did sudo pacman -Syu pam-krb5 and reboot but it did not solve my problem. I will remember to do -Syu and not -Sy next time

I'm not an expert on this, but it sounds like you want to set up AD integration. The Arch Wiki page on that seems to be heavily edited recently, so I recommend checking out the current documentation that's on the Wiki, since things may have changed recently: https://wiki.archlinux.org/title/Active … ntegration.

that is not what I am attempting. I will explain in detail what I'm trying to do:

I have a kerberos realm configured and I just want my client to be able to take a ticket granting ticket from the server on login, I'm more or less in the same situation as described in the tutorial I have posted. I do not want to connect to an Active Directory service or a samba service.


EDIT: after verifying the journal with the command:

sudo journalctl SYSLOG_FACILITY=10

I have found this error message:

pam_krb5(gdm-password:auth): (user hellios) credential verification failed: Cannot find key for host/server.example.com@EXAMPLE.NET kvno 5 in keytab


which is strange because the key it is searching is the host key of the server and should not be in my client keytab.

Last edited by Hellios (2023-01-31 16:32:33)

Offline

#4 2023-02-01 12:44:58

Hellios
Member
Registered: 2023-01-30
Posts: 3

Re: [SOLVED] can't add pam-krb5 to PAM stack

I added a new host key on the server (I think that what solved the first error)

then I found another error

credential verification failed: Cannot decrypt ticket for host/client.example.com@EXAMPLE.COM using keytab key for host/client.EXAMPLE.COM@EXAMPLE.COM

And then I finally solved this last problem.

I had old keys in my krb5.keytab file on my client machine. removing the keytab file and adding new keys with kadmin solved the issues.

Thanks to twelveeighty again for the tip about never doing a partial update, it was not solving my issue but was a very instructive tip.

Last edited by Hellios (2023-02-01 15:25:24)

Offline

Board footer

Powered by FluxBB