[27812] in Kerberos
RE: Users occasionally kicked after pam_krb5 login
daemon@ATHENA.MIT.EDU (Edgecombe, Jason)
Thu May 24 14:59:07 2007
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Thu, 24 May 2007 12:55:45 -0400
Message-ID: <A01ABA2A211C644596549C5FF91C50E414EC74E3@EXEVS02.its.uncc.edu>
In-Reply-To: <5D2E0A16-B7C0-4991-8FC3-8DB1A996CF22@gmail.com>
From: "Edgecombe, Jason" <jwedgeco@uncc.edu>
To: "Norman Elton" <normelton@gmail.com>, <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ok,
run "setenforce 0" as root and see if that fixes things.
Jason
Jason Edgecombe
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
UNC-Charlotte
Phone: (704) 687-3514
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of Norman Elton
Sent: Thursday, May 24, 2007 12:13 PM
To: kerberos@mit.edu
Subject: Re: Users occasionally kicked after pam_krb5 login
Jason,
I've recreated the entire setup on virtual machines. A fresh KDC and
a fresh client, both running RedHat 5. The problem persists. As part
of my .bashrc file, I'm logging the output of "klist", and have
discovered that in the cases that the user is getting immediately
kicked off the system, there are no tickets listed. When a ticket is
present, the user's session behaves normally. There is likewise no /
tmp/krb5cc_xxx key cache.
My /var/log/messages log looks the same whether the user gets a
ticket or not:
May 24 12:10:24 client login: pam_unix(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
user=testuser
May 24 12:10:24 client login: pam_krb5[4198]: authentication succeeds
for 'testuser' (testuser@KRBDOMAIN)
May 24 12:10:24 client login: pam_unix(login:session): session opened
for user testuser by LOGIN(uid=0)
May 24 12:10:24 client login: pam_selinux(login:session): Warning!
Could not get new context for /dev/tty1, not relabeling: Invalid
argument
May 24 12:10:24 client login: pam_selinux(login:session): usercon=
(null), prev_context=system_u:object_r:tty_device_t
May 24 12:10:24 client login: LOGIN ON tty1 BY testuser
I've noticed the strange looking selinux message before, but cannot
find a cause for it. I'm running selinux in permissive mode, so I
don't think this is the culprit.
I've also turned on PAM debugging, and nothing suspicious here
either. The output from a "bad" session matches line-for-line the
output of a "good" session followed by a manual logout.
Thanks again for your help. Any thoughts?
Norman
On May 23, 2007, at 3:50 PM, Edgecombe, Jason wrote:
> What does /var/log/messages say?
>
> Jason Edgecombe
> Solaris & Linux Administrator
> Mosaic Computing Group, College of Engineering
> UNC-Charlotte
> Phone: (704) 687-3514
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
