Kerberos-PAM authentication failure: pam or pre-authentication

Question

kinit -p 'username' works -- no problem with the setup of the Kerberos realm.

I can't get the login from the GUI to work, however.

Client auth.log:

pam_krb5(gdm3:auth): user <username> authenticated as <user>@<realm>
gkr-pam: error looking up user information

Server krb5kdc.log:

Oct 01 02:27:23 debian krb5kdc[6996](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.0.11:
NEEDED_PREAUTH: <user>@<realm> for krbtgt/<realm>@<realm>, Additional
pre-authentication required


Oct 01 02:27:23 debian krb5kdc[6996](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.0.11: 
ISSUE: authtime 1412144843, etypes {rep=18 tkt=18 ses=18}, <user>@<realm> for 
krbtgt/<realm>@<realm>

In other words, Kerberos server issues the ticket to the client without a problem, but the login from the GUI doesn't work. Any thoughts are really appreciated!

Both client and server are running Debian 7.6.0 x86_64.

Answer 1

The key line to look at is:

gkr-pam: error looking up user information

Successful authentication doesn't necessarily mean access will be granted by PAM. The user must be recognized by the operating system, and must also pass the accounting checks (the account modules in the PAM stack).

The error above suggests that the user either does not exist on the system (from the console, does getent passwd <username> and getent shadow <username> both work?), or one of the PAM modules you have configured is having difficulty obtaining information about the user from a remote source.

Focus your investigation in this direction and you should be able to identify and correct the issue.