Kerberos locks out root account

[ShruggingAtlas]

I have been playing around with a basic KerberosV setup. I set kerberos up on my LAN via the short krb5.conf and DNS SRV entries as per the handbook.

It works beautifully for my users, but I discovered that if I setup a root principal, I can no longer log in as- or su to the root user on any machine in the realm.

I get this error in /var/log messages:

Jan 21 10:10:23 alpha su: pam_acct_mgmt: permission denied

And I see this in my kdc.log:

2010-01-21T10:12:15 No preauth found, returning PREAUTH-REQUIRED -- root@REALM
2010-01-21T10:12:15 AS-REQ root@REALM from IPv4:192.xxx.yyy.zzz for krbtgt/REALM@REALM
2010-01-21T10:12:15 Client sent patypes: encrypted-timestamp
2010-01-21T10:12:15 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc
2010-01-21T10:12:15 TGS-REQ root@REALM from IPv4:192.xxx.yyy.zzz for host/alpha.domain.tld@REALM

Is this some kind of security feature I am not understanding, or have I made a mistake in my setup?

/Martin

 

[gilinko]

You haven't made a mistake, it is the security feature that you can only use su IF you are in the wheel group.

FreeBSD uses PAM for this, and specifically pam_group.so that ONLY looks in the local files(passwd etc) for user information, and that is why you don't get access as root if it's located in the kerberos realm.

I would not recommend that you put root in any external database(kerberos, ldap etc), but keep that on file on the local machine so that you can gain access even if the kerberos server is down for some reason or no network connection.

If you want to add the ability to su as a user, you have to change the configuration of the pam service. For instance for kerberos change the /etc/pam.d/system and uncoment the account line for pam_krb5.so

And in /etc/pam.d/su add the following BEFORE the pam_group.so entry:

auth    sufficient    pam_krb5.so    no_warn

To regain the limitation so that only people in a certain group can use SU, I use pam_require(which is in the ports tree) and add the following line to /etc/pam.d/su before the include system part in account.

account    sufficient    /usr/local/lib/pam_require.so @wheel @newwheel

newwheel is an extra group that you can add users to that should be allowed to use SU. This way you don't interfere with the basic authentication settings, in case there is a problem with kerberos(or in my case ldap)