GSSAPI not working and no error is reported
I have setup Kerberos/LDAP authentication and authorization to Windows 2003 AD. I have this working, I get a ticket and all AD users can authenticate on my solaris servers, which have no local accounts. The problem I am having is that GSSAPI is not working, so users are prompted for a password with every login. I have tried debugging the SSH session, but I do not see an error, I only see that it tries GSSAPI and then moves on to keyboard-interactive and request a password. I can enter the password and access is granted, but since the user already has a ticket, they should not be prompted at all. If anyone can help, please do. Here are the GSSAPI portions of the SSH attempt, I can provide the whole log if need be. Also, this is all with Solaris built in software, no 3rd party ssh/krb5/ldap/pam_krb5/ssl.
Client Side
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug3: start over, passed a different list gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug2: Authenticating with GSS-API context from key exchange (w/ MIC)
debug2: we sent a gssapi-keyex packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: ssh_gssapi_init_ctx(653e8, solaris10.example.com, 0, 0, ffbff7dc)
debug3: ssh_gssapi_import_name: snprintf() returned 45, expected 46
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: ssh_gssapi_init_ctx(770d0, solaris10.example.com, 0, 0, ffbff8b8)
debug3: ssh_gssapi_import_name: snprintf() returned 45, expected 46
debug1: ssh_gssapi_init_ctx(770d0, solaris10.example.com, 0, ffbff8c0, ffbff8b4)
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
Server Side
debug1: userauth-request for user testuser service ssh-connection method none
debug1: attempt 0 initial attempt 0 failures 0 initial failures 0
debug2: input_userauth_request: setting up authctxt for davissha
debug2: input_userauth_request: try method none
Failed none for testuser from 10.25.248.143 port 37561 ssh2
debug1: userauth-request for user testuser service ssh-connection method gssapi-keyex
debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
debug2: input_userauth_request: try method gssapi-keyex
debug2: Mapping initiator GSS-API principal to local username
debug2: Mapped the initiator to: testuser
debug2: Starting PAM service sshd-gssapi for method gssapi-keyex
debug3: Trying to reverse map address 10.25.248.143.
Failed gssapi-keyex for testuser from 10.25.248.143 port 37561 ssh2
debug1: userauth-request for user testuser service ssh-connection method gssapi-with-mic
debug1: attempt 2 initial attempt 0 failures 2 initial failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug1: Client offered gssapi userauth with { 1 2 840 113554 1 2 2 } (supported)
debug2: Mapping initiator GSS-API principal to local username
debug2: Mapped the initiator to: testuser
debug2: Starting PAM service sshd-gssapi for method gssapi-with-mic
Failed gssapi-with-mic for testuser from 10.25.248.143 port 37561 ssh2
debug1: userauth-request for user testuser service ssh-connection method keyboard-interactive
debug1: attempt 3 initial attempt 0 failures 3 initial failures 0
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug2: Starting PAM service sshd-kbdint for method keyboard-interactive
debug2: Calling pam_authenticate()
debug2: PAM echo off prompt: Password:
debug2: Nesting dispatch_run loop
At this point, the client is sitting at a password prompt.
Thanks in advance for any assistance....