"error reading keytab 'FILE:/etc/krb5.keytab'"
This is related to
https://access.redhat.com/site/solutions/53371
However, I am using pam_krb5-2.2.14-22.el5.x86_64 (or later) and multiple servers are still reporting the same issue
secure.1:Nov 23 21:38:56 PAM_TEST sshd[3335]: pam_krb5[3335]: error reading keytab 'FILE:/etc/krb5.keytab'
secure.1:Nov 23 21:38:56 PAM_TEST sshd[3335]: pam_krb5[3335]: TGT verified
secure.1:Nov 23 21:38:56 PAM_TEST sshd[3335]: pam_krb5[3335]: authentication succeeds for 'jdoe'
I have attempted to add "no_validate" to:
/etc/pam.d/password-auth-ac
/etc/pam.d/system-auth-ac
For example:
auth sufficient pam_krb5.so use_first_pass no_validate
But I am still seeing a ton of these messages in the logs. I would be grateful for any assistance that can be offered.
Responses
I have similar messages like this, but mine start with NMO:
nmo: pam_krb5: TGT verified: 13 Time(s)
nmo: pam_krb5: authentication succeeds for 'zzzz' (zzz@yyy.xx): 13 Time(s)
nmo: pam_krb5: error reading keytab 'FILE:/etc/krb5.keytab': 13 Time(s)
(we are not using kerberos tickets, only AD authentication)
The option no_validate (or novalidate) option could be placed in the pam.d/... config files, but i have not yet figured out the exact placement. We already have the following in place:
[root@xxx pam.d]# grep validate *
password-auth:auth sufficient pam_krb5.so use_first_pass novalidate
password-auth-ac:auth sufficient pam_krb5.so use_first_pass novalidate
system-auth:auth sufficient pam_krb5.so use_first_pass novalidate
system-auth-ac:auth sufficient pam_krb5.so use_first_pass novalidate
Hopefully this will help someone. Because it is annoying in our logs.
The info i gathered sofar, that NMO is Oracle related, and that it is supposedly an installation issue. But i am guessing that it is still a configuration option we have to add to the /etc/pam.d/ modules somewhere.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
