Error Reading Keytab Krb5.keytab
Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Server Fault Questions Tags Users Badges Unanswered Ask Question _ Server Fault is a question and answer site for system and network administrators. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top error reading keytab file krb5.keytab up vote 4 down vote favorite 1 I've noticed these kerberos keytab error messages on both SLES 11.2 and CentOS 6.3: sshd[31442]: pam_krb5[31442]: error reading keytab 'FILE: / etc/ krb5. keytab' /etc/krb5.keytab does not exist on our hosts, and from what I understand of the keytab file, we don't need it. Per this kerberos keytab introduction: A keytab is a file containing pairs of Kerberos principals and encrypted keys (these are derived from the Kerberos password). You can use this file to log into Kerberos without being prompted for a password. The most common personal use of keytab files is to allow scripts to authenticate to Kerberos without human interaction, or store a password in a plaintext file. This sounds like something we do not need and is perhaps better security-wise to not have it. How can I keep this error from popping up in our system logs? Here is my krb5.conf if its useful: banjer@myhost:~> cat /etc/krb5.conf # This file managed by Puppet # [libdefaults] default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC default_realm = FOO.EXAMPLE.COM dns_lookup_kdc = true clockskew = 300 [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false banner = "Enter your current" } Let me know if you need to see any other configs. Thanks. EDIT This message shows up in /var/log/secure whenever a non-root user logs in via SSH or the console. It seems to only o
Search Tutorials/Articles Search HCL Search Reviews Search ISOs Go to Page... LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise [SOLVED] Kerberos/LDAP against Windows Server 2008 Active Directory - requires local user User Name Remember Me? Password Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise. Notices Welcome to LinuxQuestions.org, a friendly and active Linux Community. You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today! Note http://serverfault.com/questions/446768/error-reading-keytab-file-krb5-keytab that registered members see fewer ads, and ContentLink is completely disabled once you log in. Are you new to LinuxQuestions.org? Visit the following links: Site Howto | Site FAQ | Sitemap | Register Now If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here. Having a problem logging in? Please visit this page to clear all LQ-related cookies. Introduction http://www.linuxquestions.org/questions/linux-enterprise-47/kerberos-ldap-against-windows-server-2008-active-directory-requires-local-user-919900/ to Linux - A Hands on Guide This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter. For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own. Click Here to receive this Complete Guide absolutely free. Search this Thread 12-21-2011, 03:54 PM #1 jrella LQ Newbie Registered: Apr 2008 Posts: 21 Rep: Kerberos/LDAP against Windows Server 2008 Active Directory - requires local user I have been trying to get AD logins working on a linux machine. If I create a local linux user with the same name as the AD user, the linux machine will require the AD password. But if no corresponding local user exists, then I get invalid user errors: Create test01 locally with no password. test01 can then login using the AD password: Dec 21 16:06:41 doladtest002 sshd[8467]: pam_krb5
for Help Receive Real-Time Help Create a Freelance Project Hire for a Full Time Job Ways to Get Help Ask a Question https://www.experts-exchange.com/questions/23472151/Kerberos-Authentication.html Ask for Help Receive Real-Time Help Create a Freelance Project Hire for a Full Time Job Ways to Get Help Expand Search Submit Close Search https://sontsysadmin.blogspot.com/2015/10/kerberos-keytab-error-centos-6.html Login Join Today Products BackProducts Gigs Live Careers Vendor Services Groups Website Testing Store Headlines Experts Exchange > Questions > Kerberos Authentication Want to Advertise Here? error reading Solved Kerberos Authentication Posted on 2008-06-10 Linux Linux Security 1 Verified Solution 7 Comments 2,933 Views Last Modified: 2013-12-16 I've setup Kerberos authentication on a Linux box to authenticate users against an Active Directory domain. It is working, however, for each domain user that authenticates I get the following in /var/log/secure: Jun error reading keytab 10 08:58:27 dev sshd[8532]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.456.789.123 user=bjones Jun 10 08:58:27 dev sshd[8532]: pam_krb5[8532]: authentication succeeds for 'bjones' (bjones@CORP.DOMAIN.LAN) Jun 10 08:58:27 dev sshd[8532]: Accepted password for bjones from 123.456.789.123 port 2716 ssh2 Jun 10 08:58:27 dev sshd[8532]: pam_unix(sshd:session): session opened for user bjones by (uid=0) The problem I have with this is the 'authentication failure' log for all of the domain users (because it is failing to authenticate locally). So I edited /etc/pam.d/system-auth and changed: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so to: auth required pam_env.so auth sufficient pam_krb5.so use_first_pass auth sufficient pam_unix.so nullok try_
server sshd[52210]: pam_krb5[52210]: error reading keytab 'FILE:/etc/krb5.keytab' Oct 22 21:10:38 server sshd[52210]: pam_krb5[52210]: TGT verified Oct 22 21:10:38 server sshd[52210]: pam_krb5[52210]: authentication succeeds for 'abc' (abc@server.domain.com) Oct 22 21:10:38 server sshd[52210]: pam_unix(sshd:session): session opened for user abc by (uid=0) To disable keytab validation and hence suppress these log messages, add the no_validate option to your PAM settings. auth sufficient pam_krb5.so use_first_pass no_validate On my CentOS 6 servers, these are in the following files: /etc/pam.d/password-auth-ac /etc/pam.d/system-auth-ac Posted by son_t at 02:44 Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest No comments: Post a Comment Newer Post Older Post Home Subscribe to: Post Comments (Atom) Blog Archive ► 2016 (19) ► October (1) ► Oct 03 (1) ► September (2) ► Sep 05 (1) ► Sep 01 (1) ► August (2) ► Aug 12 (1) ► Aug 04 (1) ► July (2) ► Jul 22 (1) ► Jul 13 (1) ► June (2) ► Jun 29 (1) ► Jun 24 (1) ► May (2) ► May 13 (1) ► May 10 (1) ► April (2) ► Apr 20 (1) ► Apr 14 (1) ► March (2) ► Mar 31 (1) ► Mar 03 (1) ► February (2) ► Feb 29 (2) ► January (2) ► Jan 25 (1) ► Jan 14 (1) ▼ 2015 (46) ► November (6) ► Nov 30 (1) ► Nov 25 (1) ► Nov 20 (1) ► Nov 18 (1) ► Nov 12 (1) ► Nov 11 (1) ▼ October (1) ▼ Oct 26 (1) Kerberos Keytab Error - CentOS 6 ► September (1) ► Sep 25 (1) ► July (4) ► Jul 27 (1) ► Jul 23 (1) ► Jul 13 (1) ► Jul 08 (1) ► June (2) ► Jun 19 (1) ► Jun 09 (