[Date Prev][Date Next] [Chronological] [Thread] [Top]

Failed primary KDC - Can't login



I've set up two KDC's (kerberos1/rmgztk and kerberos2/morwen) and a client (tuzjfi).

All of them are SPARC SS4's (if that matters :). Now kerberos1 have failed
(problem with the memory some how). I'm using 'pam_ldap', 'pam_krb5' and
'nss_ldap' for authentication/authorization...

I can get a ticket, I can finger myself etc but when trying to login it fails
(login times out after 60 seconds)...

Logs when trying to login:
----- s n i p -----
morwen:~# tail -f /var/log/kerberos/krb5kdc.log -n0
Aug 07 11:16:37 morwen krb5kdc[2892](info): AS_REQ (3 etypes {16 1 3}) 192.168.1.4(88): NEEDED_PREAUTH: turbo@BAYOUR.COM for krbtgt/BAYOUR.COM@BAYOUR.COM, Additional pre-authentication required
Aug 07 11:16:48 morwen krb5kdc[2892](info): AS_REQ (3 etypes {16 1 3}) 192.168.1.4(88): ISSUE: authtime 1028711808, etypes {rep=16 tkt=16 ses=16}, turbo@BAYOUR.COM for krbtgt/BAYOUR.COM@BAYOUR.COM
----- s n i p -----

The second line comes just before I get 'login timed out ...', but it
seems like it's succeeding!

One thing that I thought of was that there's no KAdmin (krb524d) running
on kerberos2. Do I really _HAVE_ to run one? Kerberos2 is 'never' going
to be the master, it's just to authenticate users/services while kerberos1
is down (hopfully a very short time :)...

But I think the real problem is the timeout. Since I'm using LDAP (PAM/NSS),
and it takes a while before the LDAP libs try the second LDAP server (which 
is kerberos2), login times out.

If indeed this is the problem, this is more of a OpenLDAP issue (hence the
Cc)...
-- 
Khaddafi Cuba Qaddafi Marxist Cocaine radar Ortega kibo DES terrorist
nitrate attack president NSA North Korea
[See http://www.aclu.org/echelonwatch/index.html for more about this]