Troubleshooting pam authentication

rhyous

rhyous

Ok...So I am researching FreeBSD and active directory integration, as I have mentioned before:
http://rhyous.com/2010/05/07/connecting-to-active-directory-with-kerberos-on-freebsd/

So it is very simple to setup a kerberos client and get a ticket from Active Directory.

I would assume it would be easy to change FreeBSD to also use kerberos authentication so a user on the kerberos server could log into FreeBSD, but it is not really working.

Since I know the kerberos is setup and working, it is pam and pam_krb5.so that must be the point of failure.

I added debug to the parameters of the lines in /etc/pam.d/sshd but I don't see any extra logging anywhere.

  1. Any good tips on troubleshooting pam?
  2. I do have the code pulled down, however, I am not sure what process is doing the authentication or what to build and attach gdb to and debug.
 
By default, freebsd base system binaries not are build with "debug" activated, so adding that option has no effect what so ever(as you have discovered). You have to rebuild kernel+world with debug to use it. If you remove the no_warn part from the kerberos line then you will see logged messages in /var/log/auth when it gives of a warning, which might get you started on finding out what the error is.
 
Well, according to the pam_krb5(8) man page, the "debug" option logs to syslog with LOG_DEBUG level. So you need to add an appropriate line to /etc/syslog.conf that will log debug messages. I think the default installation *may* have a log in /var/log/debug.log, but check the syslog configuration. The "no_warn" option is also a good place to start.

Be aware that krb5 can't be used as a source for nsswitch.conf because there isn't enough information stored in Kerberos to service as a directory service. You can use nss_ldap against the Active Directory server for that purpose though (I did as much at a previous company many moons ago).
 
The man page does say that, so does it for a lot of things in the base system. However the few thing I have tried it on, it just doesn't work and says so when use is attempted(try using -D or -d on ntpd and it will say that illegal option). And in a "generic binary" install I would say that the absence of debug code is normal as it increases performance, and having two different man pages if debugging is enabled or not is just not practical). I could be wrong though...

But you may stumbled in on the real reason "why it doesn't work". If PAM authenticates a user and then fails to find the information in the session lookup(ie the user information) it will silently fail as it isn't an error. It would generate a warning though, if you have removed that option from the pam.d file. In that case you will need nss_ldap, which conveniently is in the ports tree net/nss_ldap
 
I just checked the code, there isn't anything that is conditionally compiled based on DEBUG. It should work.
 
Thanks guys.

So, if I login with a local user, I see and entry in /var/log/debug.log.

Code: 
May 8 15:15:47 F8AD sshd[96461]: pam_krb5: verify_krb_v5_tgt(): krb_kt_read_service_key(): Key table entry not found.

However, if I try to login with a user that is in AD but doesn't exist local, nothing happens.

Ok, so to really debug, I need to build world with debug enabled.

So I am building world using 8-stable and debug enabled.

I added to my /etc/make.conf this line:
Code: 
DEBUG_FLAGS=-g
 
If you don't get an error when using kerberos against you AD, I would first of all check your AD/kerberos to see if a ticket was authorized and issued. If it were, then the authentication does work, and your problem is the session information that you would have to use nss_ldap to access your AD.

Might be quicker to test before you start rebuildning kernel+world.
 
You must log in or register to reply here.
Back
Top