I have been playing around with a basic KerberosV setup. I set kerberos up on my LAN via the short krb5.conf and DNS SRV entries as per the handbook.
It works beautifully for my users, but I discovered that if I setup a root principal, I can no longer log in as- or su to the root user on any machine in the realm.
I get this error in /var/log messages:
And I see this in my kdc.log:
Is this some kind of security feature I am not understanding, or have I made a mistake in my setup?
/Martin
It works beautifully for my users, but I discovered that if I setup a root principal, I can no longer log in as- or su to the root user on any machine in the realm.
I get this error in /var/log messages:
Code:
Jan 21 10:10:23 alpha su: pam_acct_mgmt: permission denied
And I see this in my kdc.log:
Code:
2010-01-21T10:12:15 No preauth found, returning PREAUTH-REQUIRED -- root@REALM
2010-01-21T10:12:15 AS-REQ root@REALM from IPv4:192.xxx.yyy.zzz for krbtgt/REALM@REALM
2010-01-21T10:12:15 Client sent patypes: encrypted-timestamp
2010-01-21T10:12:15 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc
2010-01-21T10:12:15 TGS-REQ root@REALM from IPv4:192.xxx.yyy.zzz for host/alpha.domain.tld@REALM
Is this some kind of security feature I am not understanding, or have I made a mistake in my setup?
/Martin