 Re: Kerberos not allowing the network password for some users
Are your clocks synchronized?
jda wrote:
> Production server rp7410 hp11v2, Test server rp5450 hp11v2 both have
> Dec '07 Quality Pack installed. Both up to date on patches. Network
> is a Windows Active Directory (AD).
>
> The Test server is a clone of the Production server, and I've been
> working with HP support on a couple of sambaclient problems. We have
> been using the Test server to try solutions and when we are confident
> the changes/patches works on the Test sever I do the same changes on
> the Production server.
>
> Before I started to make any changes on the Production server users
> could use either their 'network' or their 'unix' (local) passwords
> when logging in. However somewhere along the way this stopped working
> on the Production server for thoses people that their network and
> local unix passwords are different, it still works on the Test server.
>
> syslogs does show this, when some with different passwords ties
> network password first:
>
> Mar 12 14:33:02 leto sshd[12931]: while verifying tgt[Unknown code
> ____ 255]
> Mar 12 14:33:02 leto sshd[12931]: [Authentication failed] Password not
> valid
> Mar 12 14:33:08 leto sshd[12931]: error: PAM: Authentication failed
> for User1 from uaxxxx.graceland.edu
> Mar 12 14:33:11 leto sshd[12931]: [Authentication failed] Password not
> valid
> Mar 12 14:33:11 leto sshd[12931]: Accepted password for User1 from
> 10.125.xx.xx port 4891 ssh2
> Mar 12 14:33:11 leto sshd[12931]: Pam Creds are not available
>
>
> To the best of my knowledge both servers are configured the same for
> Kerberos and PAM. I have checked /etc/krb5.conf & /etc/pam.krb5 on
> both systems and they are identical. (HP support wanted me to change
> which AD server we point to) Changing the file back has no affect.
>
> Besides /etc/krb5.conf what other files might I look at so see if
> there is some slight difference between the two servers that Kerberos
> uses?
>
> John
>
 |