Login/permissions problems after installing Kerberos client
After setting up a kerberos server (on a separate machine) and installing kerberos client on Ubuntu 16.04 desktop (and laptop), I have authentication and permissions problems I believed are caused by the PAM configuration. I do not have AD or LDAP.
Ubuntu Kerberos client installation:
sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
sudo dpkg-reconfigure krb5-config
sudo auth-client-config -a -p kerberos_example
/etc/auth_client_config/profile.d/acc-default
pam_auth=auth [authinfo_unavail=ignore success=1 default=2] pam_krb5.so use_first_pass ignore_root debug
auth [success=done default=ignore] pam_unix.so nullok_secure debug
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
pam_account=account sufficient pam_krb5.so debug
account sufficient pam_unix.so debug
account required pam_permit.so
pam_password=password sufficient pam_unix.so nullok obscure min=4 max=8 md5 debug
password sufficient pam_krb5.so debug try_first_pass
password required pam_deny.so
pam_session=session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_foreground.so
session optional pam_krb5.so debug
session required pam_unix.so debug
Problems:
- Cannot login as user to unity or command line (incorrect password), but can ssh.
- Can login into guest account (which I thought was disabled) and switch to user account.
- On laptop, screen saver normally requires password, but now does not. -sudo does not accept password.
- su works but does not require a password.
- Machine extremely slow with high memory usage - logs show permission problems trying to write files.
- Screen configuration (two displays) not correct and ignores settings.
Copying blindly for the web, I modified the configuration to:
pam_auth=auth [success=2 default=ignore] pam_krb5.so use_first_pass ignore_root debug
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass debug
auth requisite pam_deny.so
auth required pam_permit.so
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
pam_account=account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so debug
account requisite pam_deny.so
account required pam_permit.so
account required pam_krb5.so debug
pam_password=password [success=2 default=ignore] pam_krb5.so minimum_uid=1000
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password requisite pam_deny.so
password required pam_permit.so
pam_session=session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_foreground.so
session optional pam_krb5.so debug
session required pam_unix.so debug
- Entering password at login it states that I have been logged in using cached credentials and the password entry box says LOG IN >, which I must click to log in.
- Can ssh into the machine.
- sudo now works.
- su requires password and returns su: Authentication failure.
- Machine still slow.
- Screen configuration still not correct.
/etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.XXX
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
# [CAN I DELETE THESE SINCE I HAVE MIT?]
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
MYDOMAIN.XXX = {
kdc = master_kdc.mydomain.xxx
kdc = secondary_kdc.mydomain.xxx
admin_server = master_kdc.mydomain.xxx
}
[domain_realm]
.mydomain.xxx = MYDOMAIN.XXX
mydomain.xxx = MYDOMAIN.XXX
[login]
krb4_convert = true
krb4_get_tickets = false
Example entries in syslog:
gnome-session-binary[2652]: WARNING: Could not get session id for session. Check that logind is properly installed and pam_systemd is getting used at login.
gnome-session[2652]: gnome-session-binary[2652]: dconf-CRITICAL: unable to create file '/home/paul/.cache/dconf/user': Permission denied. dconf will not work properly.
org.gnome.ScreenSaver[2549]: ** (gnome-screensaver:2733): WARNING **: Couldn't get presence status: The name org.gnome.SessionManager was not provided by any .service files
org.gnome.ScreenSaver[2549]: (gnome-screensaver:2733): dconf-CRITICAL **: unable to create file '/home/paul/.cache/dconf/user': Permission denied. dconf will not work properly.
smbd[3754]: [2018/04/30 14:19:21.213850, 0] ../source3/param/loadparm.c:3259(process_usershare_file)
smbd[3754]: process_usershare_file: stat of /var/lib/samba/usershares/pictures failed. No such file or directory
gnome-session[2652]: (deja-dup-monitor:3449): dconf-CRITICAL **: unable to create file '/home/paul/.cache/dconf/user': Permission denied. dconf will not work properly.
gnome-session[2652]: (gnome-software:2890): dconf-CRITICAL **: unable to create file '/home/paul/.cache/dconf/user': Permission denied. dconf will not work properly.
auth.log
lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_kwallet.so
lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_kwallet5.so
lightdm: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_foreground.so
lightdm: pam_krb5(lightdm-greeter:session): pam_sm_open_session: entry
lightdm: pam_krb5(lightdm-greeter:session): no context found, creating one
lightdm: pam_krb5(lightdm-greeter:session): (user lightdm) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
lightdm: pam_krb5(lightdm-greeter:session): pam_sm_open_session: exit (ignore)
lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_kwallet.so
lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_kwallet5.so
lightdm: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_foreground.so
lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "paul"
lightdm: pam_krb5(lightdm:auth): pam_sm_authenticate: entry
sshd[1062]: Received SIGHUP; restarting.
sshd[1062]: Server listening on 0.0.0.0 port 22.
sshd[1062]: Server listening on :: port 22.
sshd[1062]: Received SIGHUP; restarting.
sshd[1062]: Server listening on 0.0.0.0 port 22.
sshd[1062]: Server listening on :: port 22.
gnome-keyring-daemon[1955]: couldn't set environment variable in session: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such method 'Setenv'
dbus[905]: [system] Failed to activate service 'org.bluez': timed out
lightdm: pam_krb5(lightdm:auth): (user paul) attempting authentication as paul@MYDOMAIN.XXX
lightdm: pam_krb5(lightdm:auth): user paul authenticated as paul@MYDOMAIN.XXX
lightdm: pam_krb5(lightdm:auth): (user paul) temporarily storing credentials in /tmp/krb5cc_pam_498NCw
lightdm: pam_krb5(lightdm:auth): pam_sm_authenticate: exit (success)
lightdm: pam_krb5(lightdm:account): pam_sm_acct_mgmt: entry
lightdm: pam_krb5(lightdm:account): (user paul) retrieving principal from cache
lightdm: pam_krb5(lightdm:account): pam_sm_acct_mgmt: exit (success)
lightdm: pam_krb5(lightdm-greeter:session): pam_sm_close_session: entry
lightdm: pam_krb5(lightdm-greeter:session): pam_sm_close_session: exit (success)
lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
lightdm: pam_krb5(lightdm:setcred): pam_sm_setcred: entry (establish)
lightdm: pam_krb5(lightdm:setcred): (user paul) initializing ticket cache FILE:/tmp/krb5cc_1000_pYqd6X
lightdm: pam_krb5(lightdm:setcred): pam_sm_setcred: exit (success)
lightdm: pam_krb5(lightdm:session): pam_sm_open_session: entry
lightdm: pam_krb5(lightdm:session): pam_sm_open_session: exit (success)
lightdm: pam_unix(lightdm:session): session opened for user paul by (uid=0)
gnome-keyring-daemon[2463]: The Secret Service was already initialized
gnome-keyring-daemon[2463]: The SSH agent was already initialized
gnome-keyring-daemon[2463]: The PKCS#11 component was already initialized
dbus[905]: [system] Failed to activate service 'org.bluez': timed out
pkexec[3386]: paul: Error executing command as another user: Not authorized [USER=root] [TTY=unknown] [CWD=/home/paul] [COMMAND=/usr/lib/update-notifier/package-system-locked]
CRON[3474]: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
CRON[3474]: PAM adding faulty module: pam_foreground.so
CRON[3474]: pam_krb5(cron:account): pam_sm_acct_mgmt: entry (silent)
CRON[3474]: pam_krb5(cron:account): skipping non-Kerberos login
CRON[3474]: pam_krb5(cron:account): pam_sm_acct_mgmt: exit (ignore)
CRON[3474]: pam_krb5(cron:setcred): pam_sm_setcred: entry (establish|silent)
CRON[3474]: pam_krb5(cron:setcred): no context found, creating one
CRON[3474]: pam_krb5(cron:setcred): ignoring root user
CRON[3474]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3474]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[3474]: pam_krb5(cron:setcred): pam_sm_setcred: entry (delete|silent)
CRON[3474]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3474]: pam_unix(cron:session): session closed for user root
CRON[3520]: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
CRON[3520]: PAM adding faulty module: pam_foreground.so
CRON[3520]: pam_krb5(cron:account): pam_sm_acct_mgmt: entry (silent)
CRON[3520]: pam_krb5(cron:account): skipping non-Kerberos login
CRON[3520]: pam_krb5(cron:account): pam_sm_acct_mgmt: exit (ignore)
CRON[3520]: pam_krb5(cron:setcred): pam_sm_setcred: entry (establish|silent)
CRON[3520]: pam_krb5(cron:setcred): no context found, creating one
CRON[3520]: pam_krb5(cron:setcred): ignoring root user
CRON[3520]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3520]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[3520]: pam_krb5(cron:setcred): pam_sm_setcred: entry (delete|silent)
CRON[3520]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3520]: pam_unix(cron:session): session closed for user root
CRON[3701]: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
CRON[3701]: PAM adding faulty module: pam_foreground.so
CRON[3701]: pam_krb5(cron:account): pam_sm_acct_mgmt: entry (silent)
CRON[3701]: pam_krb5(cron:account): skipping non-Kerberos login
CRON[3701]: pam_krb5(cron:account): pam_sm_acct_mgmt: exit (ignore)
CRON[3701]: pam_krb5(cron:setcred): pam_sm_setcred: entry (establish|silent)
CRON[3701]: pam_krb5(cron:setcred): no context found, creating one
CRON[3701]: pam_krb5(cron:setcred): ignoring root user
CRON[3701]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3701]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[3701]: pam_krb5(cron:setcred): pam_sm_setcred: entry (delete|silent)
CRON[3701]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3701]: pam_unix(cron:session): session closed for user root
CRON[3729]: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
CRON[3729]: PAM adding faulty module: pam_foreground.so
CRON[3729]: pam_krb5(cron:account): pam_sm_acct_mgmt: entry (silent)
CRON[3729]: pam_krb5(cron:account): skipping non-Kerberos login
CRON[3729]: pam_krb5(cron:account): pam_sm_acct_mgmt: exit (ignore)
CRON[3729]: pam_krb5(cron:setcred): pam_sm_setcred: entry (establish|silent)
CRON[3729]: pam_krb5(cron:setcred): no context found, creating one
CRON[3729]: pam_krb5(cron:setcred): ignoring root user
CRON[3729]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3729]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[3729]: pam_krb5(cron:setcred): pam_sm_setcred: entry (delete|silent)
CRON[3729]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3729]: pam_unix(cron:session): session closed for user root