OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found

Douglas E. Engert deengert at
Tue Nov 29 02:22:25 EST 2005

Matthias Gerstner wrote:

> Greetings,
> I'm working on the infrastructure of a medium size client/server
> environment using an Active Directory running on Windows Server 2003 for
> central authentication of users on linux clients.
> Additionally OpenAFS is running using Kerberos authentication through
> Active Directory as well.

This sounds like our site, AD for the KDCs, and OpenAFS, but we have some
extra pam routines, pam_afs2 and pam_krb5_ccache, for systems where the vendor's
pam_krb5 does not know about AFS.

> Now I want to grant users remote access to their AFS data by logging in
> into a central OpenSSH server running on linux.
> As authentication at the Active Directory works well when logging in
> locally on the linux clients using PAM I wanted to use PAM also for the
> SSH access.
> Unfortunately I've run into problems trying to get the OpenSSH setup
> running. I have tried OpenSSH PAM support and OpenSSH's internal
> kerberos support. But both result in errors.
> When using PAM authentication (using the same PAM stack we're using for
> local authentication on the clients that works with I can
> successfully login on the OpenSSH server but don't get the Kerberos5
> ticket written to /tmp/krb5cc_[...]. The following error is written to
> the logs:

> --
> -bash: GSSAPI Error: Miscellaneous failure (No Credentials cache found)
> --

Does the host have a host/<fqdn>@<REALM> principal in the krb5.keytab?

> Also the variable KRB5CCNAME isn't defined. I've investigated about this
> problem already on the net and tried different setups and approaches but
> to no avail. I need the kerberos5 ticket for use of OpenAFS.

DOes it write it to some other location?

> When trying internal Kerberos support of OpenSSH I can't login at all
> while getting the following error messages in the log:
> --
> GSSAPI Error: Miscellaneous failure (Credentials cache permission incorrect)
> Failed password for <user> from <ip> port <port> ssh2
> --
> I had a look at the responsible source code in auth-krb5.c. By doing
> some debugging there I found out that the following code fragment fails:
> auth-krb5.c:137
> ---
> if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
> 					authctxt->pw->pw_name)) {
> 	problem = -1;
> 	goto out;
> }
> ---
> When I comment out this if-block then I can login using OpenSSH's
> internal kerberos support and even get my kerberos5 ticket and KRB5CCNAME.

> I'm not that involved into kerberos on the coding side. What does the
> krb5_kuserok method do exactly? Why could it fail? Is it critical to
> comment it out?

Yes it is critical. It is an authorization check that says this
user principal is allowed to use this local unix account.

It looks at the ~/.k5login and the  krb5.conf  [realm] auth_to_local
variables to do test the mapping.

By default, if the kerberos principal is user at realm  and the local account
is username and user == username  and realm == default-realm-of-host,
then krb5_kuserok does not need to check the .k5login.

(With AD the realm is the uppercase of the AD domain name, fully qualified)

> I'd be happy if somebody had a solution or an advice for me. The best
> would be to get PAM authentication to correctly write the kerberos
> ticket to file.
> Oh, and here is some more data about my OpenSSH server system:
> It's running on Gentoo Linux using
> - OpenSSH 4.2_p1 with kerberos, ldap and pam support enabled
> - mit-krb5-1.4.1-r2 with krb4 support enabled
> - pam_krb5-1.0-r1
> - pam-0.78-r3
> Thanks in advance for your support,
> Matthias Gerstner
> --
> Matthias.Gerstner at
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list