Thanks in advance,
Anthony
----------------------------------------------------------- /etc/pam.d/system-auth ----------------------------------------------------------- auth required /lib/security/pam_env.so auth required /usr/local/lib/security/pam_krb5.so debug auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /usr/local/lib/security/pam_krb5.so use_authtok debug
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so debug
session required /lib/security/pam_unix.so
session optional /usr/local/lib/security/pam_krb5.so debug tokens use_authtok
----------------------------------------------------------- /etc/krb5.conf ----------------------------------------------------------- [libdefaults] ticket_lifetime = 600 default_realm = EXAMPLE.COM default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms] EXAMPLE.COM = { kdc = kerberos:88 admin_server = kerberos:749 }
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
[logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log
[appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false max_timeout = 30 timeout_shift = 2 initial_timeout = 1 required_tgs = host/host.example.com }
-----------------------------------------------------------
Log contents
-----------------------------------------------------------
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: default/local realm 'EXAMPLE.COM'
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: configured realm 'EXAMPLE.COM'
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: flags: forwardable
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: flag: user_check
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: flag: no krb4_convert
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: flag: warn
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: ticket lifetime: 36000
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: renewable lifetime: 36000
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: banner: Kerberos 5
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: ccache dir: /tmp
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: keytab: /etc/krb5.keytab
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: called to authenticate 'root'
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: authenticating 'root@xxxxxxxxxxx'
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: saving newly-entered password for use by other modules
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: trying newly-entered password for 'root'
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: authenticating 'root@xxxxxxxxxxx' to 'krbtgt/EXAMPLE.COM@xxxxxxxxxxx'
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@xxxxxxxxxxx) returned 0 (Unknown code 0)
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: got result 0 (Unknown code 0)
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: authentication succeeds for 'root' (root@xxxxxxxxxxx)
Jun 2 00:09:42 host sshd[25797]: error: PAM: Authentication failure
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: default/local realm 'EXAMPLE.COM'
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: configured realm 'EXAMPLE.COM'
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: flags: forwardable
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: flag: user_check
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: flag: no krb4_convert
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: flag: warn
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: ticket lifetime: 36000
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: renewable lifetime: 36000
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: banner: Kerberos 5
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: ccache dir: /tmp
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: keytab: /etc/krb5.keytab
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: called to authenticate 'root'
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: authenticating 'root@xxxxxxxxxxx'
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: saving newly-entered password for use by other modules
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: trying newly-entered password for 'root'
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: authenticating 'root@xxxxxxxxxxx' to 'krbtgt/EXAMPLE.COM@xxxxxxxxxxx'
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@xxxxxxxxxxx) returned 0 (Unknown code 0)
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: got result 0 (Unknown code 0)
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: authentication succeeds for 'root' (root@xxxxxxxxxxx)
Jun 2 00:09:45 host sshd[25797]: error: PAM: Authentication failure
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: default/local realm 'EXAMPLE.COM'
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: configured realm 'EXAMPLE.COM'
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: flags: forwardable
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: flag: user_check
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: flag: no krb4_convert
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: flag: warn
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: ticket lifetime: 36000
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: renewable lifetime: 36000
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: banner: Kerberos 5
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: ccache dir: /tmp
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: keytab: /etc/krb5.keytab
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: called to authenticate 'root'
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: authenticating 'root@xxxxxxxxxxx'
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: saving newly-entered password for use by other modules
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: trying newly-entered password for 'root'
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: authenticating 'root@xxxxxxxxxxx' to 'krbtgt/EXAMPLE.COM@xxxxxxxxxxx'
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@xxxxxxxxxxx) returned 0 (Unknown code 0)
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: got result 0 (Unknown code 0)
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: authentication succeeds for 'root' (root@xxxxxxxxxxx)
Jun 2 00:09:46 host sshd[25797]: error: PAM: Authentication failure
Jun 2 00:09:46 host sshd[25797]: Failed keyboard-interactive/pam for root from ::ffff:10.0.1.51 port 48177 ssh2
Jun 2 00:09:52 host sshd[25797]: Accepted password for root from ::ffff:10.0.1.51 port 48177 ssh2
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: default/local realm 'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: configured realm 'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: flags: forwardable
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: flag: user_check
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: flag: no krb4_convert
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: flag: warn
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: ticket lifetime: 36000
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: renewable lifetime: 36000
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: banner: Kerberos 5
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: ccache dir: /tmp
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: keytab: /etc/krb5.keytab
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: no v5 creds for user 'root', skipping session setup
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: default/local realm 'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: configured realm 'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flags: forwardable
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: tokens
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: user_check
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: use_authtok
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: no krb4_convert
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: warn
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: ticket lifetime: 36000
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: renewable lifetime: 36000
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: banner: Kerberos 5
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: ccache dir: /tmp
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: keytab: /etc/krb5.keytab
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: no v5 creds for user 'root', skipping session setup
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: default/local realm 'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: configured realm 'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flags: forwardable
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: user_check
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: no krb4_convert
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: warn
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: ticket lifetime: 36000
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: renewable lifetime: 36000
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: banner: Kerberos 5
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: ccache dir: /tmp
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: keytab: /etc/krb5.keytab
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: called to update credentials for 'root'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: _pam_krb5_sly_refresh returning 0 (Success)
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list