3

I've set up remote login on a computer using Kerberos and LDAP. I've also configured NFS to mount onto /home so that the user's home directory is the same wherever they login.

Kerberos authentication seems to work fine. I can get a ticket using kinit user1 (assuming user1 is a remote user) and see the ticket with klist.

I'm pretty sure LDAP is working because I see the proper output from getent passwd, which lists all the remote users.

The contents of /home are present when I list the files.

The problem is: when I try to login as a remote user the session is immediately ended. Why is it not letting me stay logged in? Here is the output from /var/log/messages after a login attempt:

# /var/log/messages:
Oct  9 10:57:53 tophat login[6472]: pam_krb5[6472]: authentication succeeds for 'user1' (user1@REALM.COM)
Oct  9 10:57:53 tophat login[6472]: pam_krb5[6472]: pam_setcred (establish credential) called
Oct  9 10:57:53 tophat login[6472]: pam_krb5[6472]: pam_setcred (delete credential) called

EDIT:

The distro is openSUSE. Here are the common-* files in /etc/pam.d:

 

# /etc/pam.d/common-account
account required        pam_unix.so

 

# /etc/pam.d/common-auth
auth    sufficient      pam_krb5.so minimum_uid=1000
auth    required        pam_unix.so nullok_secure try_first_pass

 

# /etc/pam.d/common-session
session optional        pam_umask.so umask=002
session sufficient      pam_krb5.so minimum_uid=1000
session required        pam_unix.so

There doesn't appear to be a /var/log/auth.log file nor a /var/log/secure file.

Dylan Klomparens
  • 614
  • 2
  • 8
  • 22
  • Which distro is this? Please also add the contents of the relevant configuration files `/etc/ssh/sshd_config`, `/etc/pam.d/common-*`, as well as the logiles `/var/log/auth.log` or `/var/log/secure`, depending on your distro. – daff Oct 09 '12 at 15:26
  • 1
    Before you login via `ssh` start `sshd` in debug-mode on the console. That will give you more information than anything else. My feeling is that you should do this with native sshd-means instead of using pam. – Nils Oct 11 '12 at 20:54
  • Did the user do something silly like put `logout` in their `.bashrc`? – Michael Hampton Oct 13 '12 at 04:23

1 Answers1

4

Some questions to think about:

Does the user have a valid shell (that isn't /bin/false or similar)? Is the user's UID >= 1000 (required by your pam_krb5.so config)?

Is the uid the same on the NFS fileserver (or uids are mapped correctly) - i.e. does the user have rwx perms on their own home directory on the host concerned? Can the user login on other hosts which also NFS-mount the home directory.

BTW, SUSE doesn't separate logfiles into logical (facility-based) categories, you'll have to look in /var/log/syslog or /var/log/messages.

cas
  • 6,653
  • 31
  • 34
  • This helped since a misconfiguration in LDAP was causing the shell to be "nologin" for all users. I think the Kerberos configuration is still incorrect though. Thanks for the help, Craig! – Dylan Klomparens Oct 18 '12 at 22:03