Le 12/04/2011 13:46, John Hodrien a écrit :
On Sun, 10 Apr 2011, Alain Péan wrote:
After further verification, it seems to be related to ticket granting. Here is what I have in /var/log/messages : su: pam_krb5[7200]: TGT failed verification using keytab and key for 'host/bardeen.lab-lpp.local@LAB-LPP.LOCAL': Cannot find ticket for requested realm
I've yet to do a full upgrade to 5.6, but I have upgraded pam_krb5 to peek at this, and it works fine for me (tested against 2003 and 2008 DCs).
Contents of your /etc/krb5.conf and the output of 'klist -ke' could be instructive.
jh
Hi John,
Thnks for your answer. Here are the content of /etc/krb5.conf and klist -ke. I agree that there can be siomething missing, that was working before...
]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5lib.log
[libdefaults] ticket_lifetime = 24000 default_realm = LAB-LPP.LOCAL default_tk_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = true dns_lookup_kdc = true
[realms] LAB-LPP.LOCAL = { kdc = pc-lpp1.lab-lpp.local:88 kdc = pc-lpp2.lab-lpp.local:88 kdc = pc-lpp3.lab-lpp.local:88 kdc = pc-lpp4.lab-lpp.local:88 kdc = pc-lppx.lab-lpp.local:88 admin_server = pc-lpp1.lab-lpp.local:749 default_domain = LAB-LPP.LOCAL }
[domain_realm] .lab-lpp.local = LAB-LPP.LOCAL lab-lpp.local = LAB-LPP.LOCAL
and : ]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 HOST/centos-test.test-lpp.local@TEST-LPP.LOCAL (DES cbc mode with CRC-32) 2 host/centos-test.test-lpp.local@TEST-LPP.LOCAL (DES cbc mode with CRC-32) 2 host/centos-test.test-lpp.local@TEST-LPP.LOCAL (DES cbc mode with RSA-MD5) 2 host/centos-test.test-lpp.local@TEST-LPP.LOCAL (ArcFour with HMAC/md5) 2 host/centos-test@TEST-LPP.LOCAL (DES cbc mode with CRC-32) 2 host/centos-test@TEST-LPP.LOCAL (DES cbc mode with RSA-MD5) 2 host/centos-test@TEST-LPP.LOCAL (ArcFour with HMAC/md5) 2 CENTOS-TEST$@TEST-LPP.LOCAL (DES cbc mode with CRC-32) 2 CENTOS-TEST$@TEST-LPP.LOCAL (DES cbc mode with RSA-MD5) 2 CENTOS-TEST$@TEST-LPP.LOCAL (ArcFour with HMAC/md5) 2 HOST/centos-test.test-lpp.local@TEST-LPP.LOCAL (DES cbc mode with RSA-MD5) 2 HOST/centos-test.test-lpp.local@TEST-LPP.LOCAL (ArcFour with HMAC/md5) 2 HOST/centos-test@TEST-LPP.LOCAL (DES cbc mode with CRC-32) 2 HOST/centos-test@TEST-LPP.LOCAL (DES cbc mode with RSA-MD5) 2 HOST/centos-test@TEST-LPP.LOCAL (ArcFour with HMAC/md5)
It is a local domain because it spans multiple real DNS domains.
Alain