Hi,
I'm trying to setup authentication with kerberos (Active Directory) for some Ubuntu and Debian Clients.
This is working fine, except for offline logins (Laptops). In this case I always get an login timeout.
Some things I found with google:
https://wiki.ubuntu.com/NetworkAuthentication/Client?highlight=(pam\_ccreds.so)#PAM
http://www.klabs.be/~fpiat/linux/debian/Disconnected_Authentication.html
my common-auth for pam:
Code:
auth [success=done default=ignore] pam_unix.so debug
auth [authinfo_unavail=ignore success=1 default=2] pam_krb5.so use_first_pass minimum_uid=1000 debug
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
auth requisite pam_deny.so
auth required pam_permit.so
With this an offline login always fails with the message "Login timed out after 60 seconds".
auth.log:
Code:
Jul 6 10:42:04 foo login[24712]: pam_unix(login:auth): authentication failure; logname=myuser uid=0 uid=0 tty=tty3 ruser= rhos
Jul 6 10:42:04 foo login[24712]: (pam_krb5): none: pam_sm_authenticate: entry (0x0)
Jul 6 10:42:04 foo login[24712]: (pam_krb5): myuser: attempting authentication as myuser@foobarblub666.net
Changing the value for the kdc_timeout in krb5.conf didn't change anything.
Code:
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
kdc_timeout = 5
max_retries = 1
}
Online login with kerberos and pam_ccreds is working fine.
Code:
Jul 6 10:58:07 foo sshd[26016]: (pam_krb5): myusere: attempting authentication as myusere@foobarblub666.net
Jul 6 10:58:07 foo sshd[26016]: (pam_krb5): myusere: pam_sm_authenticate: exit (success)
Jul 6 10:58:07 foo sshd[26016]: (pam_krb5): myusere: pam_sm_acct_mgmt: entry (0x0)
Jul 6 10:58:07 foo sshd[26016]: (pam_krb5): myusere: retrieving principal from cache
Jul 6 10:58:07 foo sshd[26016]: (pam_krb5): myusere: pam_sm_acct_mgmt: exit (success)
Jul 6 10:58:07 foo sshd[26016]: Accepted password for myusere from 192.168.1.254 port 55154 ssh2
Jul 6 10:58:07 foo sshd[26016]: (pam_krb5): myusere: pam_sm_setcred: entry (0x2)
Jul 6 10:58:07 foo sshd[26016]: (pam_krb5): myusere: initializing ticket cache FILE:/tmp/krb5cc_1000_LzpSNP
Jul 6 10:58:07 foo sshd[26016]: (pam_krb5): myusere: pam_sm_setcred: exit (success)
Jul 6 10:58:07 foo sshd[26016]: (pam_krb5): myusere: pam_sm_setcred: entry (0x2)
Jul 6 10:58:07 foo sshd[26016]: (pam_krb5): myusere: pam_sm_setcred: exit (success)
Jul 6 10:58:07 foo sshd[26016]: pam_unix(sshd:session): session opened for user myusere by (uid=0)
Jul 6 10:58:07 foo sshd[26027]: (pam_krb5): myusere: pam_sm_setcred: entry (0x2)
Jul 6 10:58:07 foo sshd[26027]: (pam_krb5): myusere: pam_sm_setcred: exit (success)
Any ideas what to do to not run into the 60 second timeout?