Le 12/04/2011 14:35, Alain Péan a écrit : > Le 12/04/2011 13:46, John Hodrien a écrit : >> On Sun, 10 Apr 2011, Alain Péan wrote: >> >>> After further verification, it seems to be related to ticket granting. >>> Here is what I have in /var/log/messages : >>> su: pam_krb5[7200]: TGT failed verification using keytab and key for >>> 'host/bardeen.lab-lpp.local at LAB-LPP.LOCAL': Cannot find ticket for >>> requested realm >> I've yet to do a full upgrade to 5.6, but I have upgraded pam_krb5 to >> peek at >> this, and it works fine for me (tested against 2003 and 2008 DCs). >> >> Contents of your /etc/krb5.conf and the output of 'klist -ke' could be >> instructive. >> >> jh > Hi John, > > Thnks for your answer. Here are the content of /etc/krb5.conf and klist > -ke. I agree that there can be siomething missing, that was working > before... > > ]# cat /etc/krb5.conf > [logging] > default = FILE:/var/log/krb5lib.log > > [libdefaults] > ticket_lifetime = 24000 > default_realm = LAB-LPP.LOCAL > default_tk_enctypes = des3-hmac-sha1 des-cbc-crc > default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc > dns_lookup_realm = true > dns_lookup_kdc = true > > [realms] > LAB-LPP.LOCAL = { > kdc = pc-lpp1.lab-lpp.local:88 > kdc = pc-lpp2.lab-lpp.local:88 > kdc = pc-lpp3.lab-lpp.local:88 > kdc = pc-lpp4.lab-lpp.local:88 > kdc = pc-lppx.lab-lpp.local:88 > admin_server = pc-lpp1.lab-lpp.local:749 > default_domain = LAB-LPP.LOCAL > } > > [domain_realm] > .lab-lpp.local = LAB-LPP.LOCAL > lab-lpp.local = LAB-LPP.LOCAL > > and : > ]# klist -ke > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 2 HOST/centos-test.test-lpp.local at TEST-LPP.LOCAL (DES cbc mode with > CRC-32) > 2 host/centos-test.test-lpp.local at TEST-LPP.LOCAL (DES cbc mode with > CRC-32) > 2 host/centos-test.test-lpp.local at TEST-LPP.LOCAL (DES cbc mode with > RSA-MD5) > 2 host/centos-test.test-lpp.local at TEST-LPP.LOCAL (ArcFour with HMAC/md5) > 2 host/centos-test at TEST-LPP.LOCAL (DES cbc mode with CRC-32) > 2 host/centos-test at TEST-LPP.LOCAL (DES cbc mode with RSA-MD5) > 2 host/centos-test at TEST-LPP.LOCAL (ArcFour with HMAC/md5) > 2 CENTOS-TEST$@TEST-LPP.LOCAL (DES cbc mode with CRC-32) > 2 CENTOS-TEST$@TEST-LPP.LOCAL (DES cbc mode with RSA-MD5) > 2 CENTOS-TEST$@TEST-LPP.LOCAL (ArcFour with HMAC/md5) > 2 HOST/centos-test.test-lpp.local at TEST-LPP.LOCAL (DES cbc mode with > RSA-MD5) > 2 HOST/centos-test.test-lpp.local at TEST-LPP.LOCAL (ArcFour with HMAC/md5) > 2 HOST/centos-test at TEST-LPP.LOCAL (DES cbc mode with CRC-32) > 2 HOST/centos-test at TEST-LPP.LOCAL (DES cbc mode with RSA-MD5) > 2 HOST/centos-test at TEST-LPP.LOCAL (ArcFour with HMAC/md5) > > It is a local domain because it spans multiple real DNS domains. > > Alain Sorrry, little error with the output of klit -ke, because I am testing on a test AD domain at this moment. On the first machine, output is : # klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/appleton.lab-lpp.local at LAB-LPP.LOCAL (DES cbc mode with CRC-32) 2 host/appleton.lab-lpp.local at LAB-LPP.LOCAL (DES cbc mode with RSA-MD5) 2 host/appleton.lab-lpp.local at LAB-LPP.LOCAL (ArcFour with HMAC/md5) 2 host/appleton at LAB-LPP.LOCAL (DES cbc mode with CRC-32) 2 host/appleton at LAB-LPP.LOCAL (DES cbc mode with RSA-MD5) 2 host/appleton at LAB-LPP.LOCAL (ArcFour with HMAC/md5) 2 APPLETON$@LAB-LPP.LOCAL (DES cbc mode with CRC-32) 2 APPLETON$@LAB-LPP.LOCAL (DES cbc mode with RSA-MD5) 2 APPLETON$@LAB-LPP.LOCAL (ArcFour with HMAC/md5) Alain -- ========================================================== Alain Péan - LPP/CNRS Administrateur Système/Réseau Laboratoire de Physique des Plasmas - UMR 7648 Observatoire de Saint-Maur 4, av de Neptune, Bat. A 94100 Saint-Maur des Fossés Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33 ==========================================================