Re: strange behaviour with login

[Nicolas Williams <Nicolas.Williams@ubsw.com>]

On Wed, Mar 14, 2001 at 01:47:30PM +0100, Alex Schenkman wrote:
> First, thanks for you help during the last days !!
> 
> Now:
> 
> I have a heimdal kdc running on OpenBSD.
> I changed the invocation of login to use heimdal's login (in /etc/gettytab) and
> from the console I can login with a kdc username/passwd.
> 
> >From another box (FreeBSD) using also heimdal, I tried to login ("me") using
> again the kdc. The logs from the kdc show
> 
> 2001-03-14T13:54:48 AS-REQ me@FREE.TEST from IPv4:10.1.1.6 for krbtgt/FREE.TEST@FREE.TEST
> 2001-03-14T13:54:48 No PA-ENC-TIMESTAMP -- me@FREE.TEST
> 2001-03-14T13:54:48 AS-REQ me@FREE.TEST from IPv4:10.1.1.6 for krbtgt/FREE.TEST@FREE.TEST
> 2001-03-14T13:54:48 TGS-REQ me@FREE.TEST from IPv4:10.1.1.6 for host/carlota.intern@FREE.TEST
>                
> This looks ok, but I still can't log in.

Did you create a keytab file with key entries for
host/carlota.intern@FREE.TEST?

> 
> 
> >From another box (RedHat) using the standard RPM (MIT krb5)
> I get on the kdc:
> 2001-03-14T13:57:25 AS-REQ me@FREE.TEST from IPv4:10.1.1.81 for krbtgt/FREE.TEST@FREE.TEST
> 2001-03-14T13:57:25 No PA-ENC-TIMESTAMP -- me@FREE.TEST
> 2001-03-14T13:57:25 AS-REQ me@FREE.TEST from IPv4:10.1.1.81 for krbtgt/FREE.TEST@FREE.TEST
>        
> I can log in, but the $HOME and username remains unchanged.
> klist doesn't show me anything.

There probably is no keytab. Some login programs skip TGT verification
if there are no suitable keytab entries with which to validate TGTs.
This, IMNSHO, is bad; such behaviour should at least be optional.

> 
> What am i missing here ?

A keytab, probably.

Nico
--