Login/permissions problems after installing Kerberos client

Question

Login/permissions problems after installing Kerberos client

After setting up a kerberos server (on a separate machine) and installing kerberos client on Ubuntu 16.04 desktop (and laptop), I have authentication and permissions problems I believed are caused by the PAM configuration. I do not have AD or LDAP.

Ubuntu Kerberos client installation:

sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
sudo dpkg-reconfigure krb5-config
sudo auth-client-config -a -p kerberos_example

/etc/auth_client_config/profile.d/acc-default

pam_auth=auth  [authinfo_unavail=ignore success=1 default=2]  pam_krb5.so use_first_pass ignore_root debug
    auth     [success=done default=ignore]   pam_unix.so nullok_secure debug
    auth     [default=done]  pam_ccreds.so action=validate use_first_pass
    auth     [default=done]  pam_ccreds.so action=store
    auth     [default=bad]   pam_ccreds.so action=update
pam_account=account sufficient  pam_krb5.so debug
    account  sufficient      pam_unix.so debug
    account  required        pam_permit.so
pam_password=password sufficient  pam_unix.so nullok obscure min=4 max=8 md5 debug
    password sufficient      pam_krb5.so debug try_first_pass
    password required        pam_deny.so
pam_session=session required pam_mkhomedir.so umask=0022 skel=/etc/skel
    session  optional        pam_foreground.so
    session  optional        pam_krb5.so debug
    session  required        pam_unix.so debug

Problems:

• Cannot login as user to unity or command line (incorrect password), but can ssh.
• Can login into guest account (which I thought was disabled) and switch to user account.
• On laptop, screen saver normally requires password, but now does not. -sudo does not accept password.
• su works but does not require a password.
• Machine extremely slow with high memory usage - logs show permission problems trying to write files.
• Screen configuration (two displays) not correct and ignores settings.

Copying blindly for the web, I modified the configuration to:

pam_auth=auth [success=2 default=ignore] pam_krb5.so use_first_pass ignore_root debug
    auth     [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass debug
    auth     requisite       pam_deny.so
    auth     required        pam_permit.so
    auth     [default=done]  pam_ccreds.so action=validate use_first_pass
    auth     [default=done]  pam_ccreds.so action=store
    auth     [default=bad]   pam_ccreds.so action=update
pam_account=account  [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so debug
    account  requisite       pam_deny.so
    account  required        pam_permit.so
    account  required        pam_krb5.so debug
pam_password=password [success=2 default=ignore]  pam_krb5.so     minimum_uid=1000
    password [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
    password requisite       pam_deny.so
    password required        pam_permit.so
pam_session=session    required  pam_mkhomedir.so umask=0022 skel=/etc/skel
    session  optional        pam_foreground.so
    session  optional        pam_krb5.so debug
    session  required        pam_unix.so debug

• Entering password at login it states that I have been logged in using cached credentials and the password entry box says LOG IN >, which I must click to log in.
• Can ssh into the machine.
• sudo now works.
• su requires password and returns su: Authentication failure.
• Machine still slow.
• Screen configuration still not correct.

/etc/krb5.conf

[libdefaults]
    default_realm = MYDOMAIN.XXX

# The following krb5.conf variables are only for MIT Kerberos.
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
# [CAN I DELETE THESE SINCE I HAVE MIT?]
    v4_instance_resolve = false
    v4_name_convert = {
            host = {
                    rcmd = host
                    ftp = ftp
            }
            plain = {
                    something = something-else
            }
    }

[realms]
    MYDOMAIN.XXX = {
            kdc = master_kdc.mydomain.xxx
            kdc = secondary_kdc.mydomain.xxx
            admin_server = master_kdc.mydomain.xxx
    }

[domain_realm]
    .mydomain.xxx = MYDOMAIN.XXX
    mydomain.xxx = MYDOMAIN.XXX

[login]
    krb4_convert = true
    krb4_get_tickets = false

Example entries in syslog:

gnome-session-binary[2652]: WARNING: Could not get session id for session. Check that logind is properly installed and pam_systemd is getting used at login.
gnome-session[2652]: gnome-session-binary[2652]: dconf-CRITICAL: unable to create file '/home/paul/.cache/dconf/user': Permission denied.  dconf will not work properly.
org.gnome.ScreenSaver[2549]: ** (gnome-screensaver:2733): WARNING **: Couldn't get presence status: The name org.gnome.SessionManager was not provided by any .service files
org.gnome.ScreenSaver[2549]: (gnome-screensaver:2733): dconf-CRITICAL **: unable to create file '/home/paul/.cache/dconf/user': Permission denied.  dconf will not work properly.
smbd[3754]: [2018/04/30 14:19:21.213850,  0] ../source3/param/loadparm.c:3259(process_usershare_file)
smbd[3754]:   process_usershare_file: stat of /var/lib/samba/usershares/pictures failed. No such file or directory
gnome-session[2652]: (deja-dup-monitor:3449): dconf-CRITICAL **: unable to create file '/home/paul/.cache/dconf/user': Permission denied.  dconf will not work properly.
gnome-session[2652]: (gnome-software:2890): dconf-CRITICAL **: unable to create file '/home/paul/.cache/dconf/user': Permission denied.  dconf will not work properly.

auth.log

lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_kwallet.so
lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_kwallet5.so
lightdm: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_foreground.so
lightdm: pam_krb5(lightdm-greeter:session): pam_sm_open_session: entry
lightdm: pam_krb5(lightdm-greeter:session): no context found, creating one
lightdm: pam_krb5(lightdm-greeter:session): (user lightdm) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
lightdm: pam_krb5(lightdm-greeter:session): pam_sm_open_session: exit (ignore)
lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_kwallet.so
lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_kwallet5.so
lightdm: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_foreground.so
lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "paul"
lightdm: pam_krb5(lightdm:auth): pam_sm_authenticate: entry
sshd[1062]: Received SIGHUP; restarting.
sshd[1062]: Server listening on 0.0.0.0 port 22.
sshd[1062]: Server listening on :: port 22.
sshd[1062]: Received SIGHUP; restarting.
sshd[1062]: Server listening on 0.0.0.0 port 22.
sshd[1062]: Server listening on :: port 22.
gnome-keyring-daemon[1955]: couldn't set environment variable in session: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such method 'Setenv'
dbus[905]: [system] Failed to activate service 'org.bluez': timed out
lightdm: pam_krb5(lightdm:auth): (user paul) attempting authentication as paul@MYDOMAIN.XXX
lightdm: pam_krb5(lightdm:auth): user paul authenticated as paul@MYDOMAIN.XXX
lightdm: pam_krb5(lightdm:auth): (user paul) temporarily storing credentials in /tmp/krb5cc_pam_498NCw
lightdm: pam_krb5(lightdm:auth): pam_sm_authenticate: exit (success)
lightdm: pam_krb5(lightdm:account): pam_sm_acct_mgmt: entry
lightdm: pam_krb5(lightdm:account): (user paul) retrieving principal from cache
lightdm: pam_krb5(lightdm:account): pam_sm_acct_mgmt: exit (success)
lightdm: pam_krb5(lightdm-greeter:session): pam_sm_close_session: entry
lightdm: pam_krb5(lightdm-greeter:session): pam_sm_close_session: exit (success)
lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
lightdm: pam_krb5(lightdm:setcred): pam_sm_setcred: entry (establish)
lightdm: pam_krb5(lightdm:setcred): (user paul) initializing ticket cache FILE:/tmp/krb5cc_1000_pYqd6X
lightdm: pam_krb5(lightdm:setcred): pam_sm_setcred: exit (success)
lightdm: pam_krb5(lightdm:session): pam_sm_open_session: entry
lightdm: pam_krb5(lightdm:session): pam_sm_open_session: exit (success)
lightdm: pam_unix(lightdm:session): session opened for user paul by (uid=0)
gnome-keyring-daemon[2463]: The Secret Service was already initialized
gnome-keyring-daemon[2463]: The SSH agent was already initialized
gnome-keyring-daemon[2463]: The PKCS#11 component was already initialized
dbus[905]: [system] Failed to activate service 'org.bluez': timed out
pkexec[3386]: paul: Error executing command as another user: Not authorized [USER=root] [TTY=unknown] [CWD=/home/paul] [COMMAND=/usr/lib/update-notifier/package-system-locked]
CRON[3474]: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
CRON[3474]: PAM adding faulty module: pam_foreground.so
CRON[3474]: pam_krb5(cron:account): pam_sm_acct_mgmt: entry (silent)
CRON[3474]: pam_krb5(cron:account): skipping non-Kerberos login
CRON[3474]: pam_krb5(cron:account): pam_sm_acct_mgmt: exit (ignore)
CRON[3474]: pam_krb5(cron:setcred): pam_sm_setcred: entry (establish|silent)
CRON[3474]: pam_krb5(cron:setcred): no context found, creating one
CRON[3474]: pam_krb5(cron:setcred): ignoring root user
CRON[3474]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3474]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[3474]: pam_krb5(cron:setcred): pam_sm_setcred: entry (delete|silent)
CRON[3474]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3474]: pam_unix(cron:session): session closed for user root
CRON[3520]: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
CRON[3520]: PAM adding faulty module: pam_foreground.so
CRON[3520]: pam_krb5(cron:account): pam_sm_acct_mgmt: entry (silent)
CRON[3520]: pam_krb5(cron:account): skipping non-Kerberos login
CRON[3520]: pam_krb5(cron:account): pam_sm_acct_mgmt: exit (ignore)
CRON[3520]: pam_krb5(cron:setcred): pam_sm_setcred: entry (establish|silent)
CRON[3520]: pam_krb5(cron:setcred): no context found, creating one
CRON[3520]: pam_krb5(cron:setcred): ignoring root user
CRON[3520]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3520]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[3520]: pam_krb5(cron:setcred): pam_sm_setcred: entry (delete|silent)
CRON[3520]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3520]: pam_unix(cron:session): session closed for user root
CRON[3701]: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
CRON[3701]: PAM adding faulty module: pam_foreground.so
CRON[3701]: pam_krb5(cron:account): pam_sm_acct_mgmt: entry (silent)
CRON[3701]: pam_krb5(cron:account): skipping non-Kerberos login
CRON[3701]: pam_krb5(cron:account): pam_sm_acct_mgmt: exit (ignore)
CRON[3701]: pam_krb5(cron:setcred): pam_sm_setcred: entry (establish|silent)
CRON[3701]: pam_krb5(cron:setcred): no context found, creating one
CRON[3701]: pam_krb5(cron:setcred): ignoring root user
CRON[3701]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3701]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[3701]: pam_krb5(cron:setcred): pam_sm_setcred: entry (delete|silent)
CRON[3701]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3701]: pam_unix(cron:session): session closed for user root
CRON[3729]: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
CRON[3729]: PAM adding faulty module: pam_foreground.so
CRON[3729]: pam_krb5(cron:account): pam_sm_acct_mgmt: entry (silent)
CRON[3729]: pam_krb5(cron:account): skipping non-Kerberos login
CRON[3729]: pam_krb5(cron:account): pam_sm_acct_mgmt: exit (ignore)
CRON[3729]: pam_krb5(cron:setcred): pam_sm_setcred: entry (establish|silent)
CRON[3729]: pam_krb5(cron:setcred): no context found, creating one
CRON[3729]: pam_krb5(cron:setcred): ignoring root user
CRON[3729]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3729]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[3729]: pam_krb5(cron:setcred): pam_sm_setcred: entry (delete|silent)
CRON[3729]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3729]: pam_unix(cron:session): session closed for user root