kinit -p 'username' works — no problem with the setup of the Kerberos realm.
I can't get the login from the GUI to work, however.
Client auth.log:
pam_krb5(gdm3:auth): user <username> authenticated as <user>@<realm>
gkr-pam: error looking up user information
Server krb5kdc.log:
Oct 01 02:27:23 debian krb5kdc[6996](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.0.11:
NEEDED_PREAUTH: <user>@<realm> for krbtgt/<realm>@<realm>, Additional
pre-authentication required
Oct 01 02:27:23 debian krb5kdc[6996](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.0.11:
ISSUE: authtime 1412144843, etypes {rep=18 tkt=18 ses=18}, <user>@<realm> for
krbtgt/<realm>@<realm>
In other words, Kerberos server issues the ticket to the client without a problem, but the login from the GUI doesn't work.
Any thoughts are really appreciated!
Both client and server are running Debian 7.6.0 x86_64.
Best Answer
The key line to look at is:
Successful authentication doesn't necessarily mean access will be granted by PAM. The user must be recognized by the operating system, and must also pass the accounting checks (the
accountmodules in the PAM stack).The error above suggests that the user either does not exist on the system (from the console, does
getent passwd <username>andgetent shadow <username>both work?), or one of the PAM modules you have configured is having difficulty obtaining information about the user from a remote source.Focus your investigation in this direction and you should be able to identify and correct the issue.