Re: User login issue
- To: "debian-edu@lists.debian.org" <debian-edu@lists.debian.org>
- Subject: Re: User login issue
- From: roman.meier@gismap.ch
- Date: Wed, 7 Feb 2024 12:51:11 +0100 (CET)
- Message-id: <[🔎] 1368265174.2816662.1707306671259@office.hostpoint.ch>
- In-reply-to: <1955701986.995437.1704625640908@office.hostpoint.ch>
- References: <1053041503.968577.1704470650469@office.hostpoint.ch> <20240105220147.Horde.Sii_0aa9oH0es0Zic1t4pcX@mail.das-netzwerkteam.de> <1299049070.1014085.1704539791147@office.hostpoint.ch> <20240106124524.Horde.G18YAIueQfukuC5J1ANKS-i@mail.das-netzwerkteam.de> <507630356.1003178.1704552761468@office.hostpoint.ch> <1955701986.995437.1704625640908@office.hostpoint.ch>
Hi folks,
Yesterday, I came across the following entry in /var/log/auth.log:
Feb 6 11:03:38 tjener su: pam_krb5(su:auth): (user roman) credential verification failed: Cannot find key for host/tjener.intern@INTERN kvno 16 in keytab
I also had a closer look at the following script:
/usr/share/debian-edu-config/tools/copy-host-keytab
This then lead me to the solution of my authentication problem.
My file /etc/krb5.keytab was missing many entries preventing successful user logins. Executing the script fixed this finally.
Kind regards,
Roman
> On 01/07/2024 11:07 AM GMT roman.meier@gismap.ch wrote:
>
>
> Hi folks,
>
> Maybe the following is helping to narrow things down?
>
> I checked on /var/log/auth.log today and I'm getting the following upon trying to login as user mm in the console:
>
> Jan 7 11:04:34 tjener krb5kdc[2232]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: mm@INTERN for krbtgt/INTERN@INTERN, Additional pre-authentication required
> Jan 7 11:04:34 tjener krb5kdc[2232]: preauth (encrypted_timestamp) verify failure: Preauthentication failed
> Jan 7 11:04:34 tjener krb5kdc[2232]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.0.2.2: PREAUTH_FAILED: mm@INTERN for krbtgt/INTERN@INTERN, Preauthentication failed
> Jan 7 11:04:34 tjener krb5kdc[2232]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: mm@INTERN for krbtgt/INTERN@INTERN, Additional pre-authentication required
> Jan 7 11:04:34 tjener krb5kdc[2232]: preauth (encrypted_timestamp) verify failure: Preauthentication failed
> Jan 7 11:04:34 tjener krb5kdc[2232]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.0.2.2: PREAUTH_FAILED: mm@INTERN for krbtgt/INTERN@INTERN, Preauthentication failed
> Jan 7 11:04:34 tjener login[17928]: pam_krb5(login:auth): authentication failure; logname=mm uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
> Jan 7 11:04:34 tjener login[17928]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=mm
> Jan 7 11:04:38 tjener login[17928]: FAILED LOGIN (1) on '/dev/tty1' FOR 'mm', Authentication failure
>
> Kind regards,
> Roman
Reply to: