Kerberos Admin Authentication Failures
Resolution
Issue
Kerberos settings appear correct but when binding the authentication profile for an Admin user, authentication fails.
Excerpt of failed logs:
> tail follow yes mp-log authd.log
Oct 24 11:18:26 pan_authd_service_req(pan_authd.c:2604): Authd:Trying to remote authenticate user: bryan
Oct 24 11:18:26 pan_authd_service_auth_req(pan_authd.c:1115): AUTH Request <'','','bryan'>
Oct 24 11:18:26 bryan admin is being authed
Oct 24 11:18:26 pan_authd_handle_admin_auths(pan_authd.c:1968): Using auth prof Kerberos for admin bryan
Oct 24 11:18:26 pan_authd_handle_admin_auths(pan_authd.c:2022): shared/Kerberos is auth prof is of type (auth profile)
Oct 24 11:18:26 pan_authd_common_authenticate(pan_authd.c:1554): Authenticating user using service /etc/pam.d/pan_krb5_shared_:kerberos,username bryan
Oct 24 11:18:26 pan_authd_authenticate_service(pan_authd.c:663): authentication failed (6)
Oct 24 11:18:26 authentication failed for user <shared,Kerberos,bryan>
Oct 24 11:18:26 pan_authd_process_authresult(pan_authd.c:1258): pan_authd_process_authresult: bryan authresult not auth'ed
Oct 24 11:18:26 pan_authd_process_authresult(pan_authd.c:1282): Alarm generation set to: False.
Oct 24 11:18:26 User 'bryan' failed authentication. Reason: Invalid username/password From: 10.16.0.96.
Oct 24 11:18:26 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Oct 24 11:18:26 pan_authd_generate_system_log(pan_authd.c:844): CC Enabled=False
Oct 24 11:18:26 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Resolution
Through the UI or config mode, verify the Realm:
Use the following CLI command to verify the realm:
# show shared server-profile kerberos
kerberos {
Kerberos-Test {
server {
w2k3ad.pantac2003.com {
host 10.30.1.122;
port 88;
}
}
realm pantac2003.com;
}
}
Use the following CLI command to attempt to ping the realm from the device:
> ping host pantac2003.com
If the ping failed, i.e.:unknown host pantac2003.com, then enter a DNS server capable of resolving the realm.
This setting can be modified via the Device Tab >Setup >Services >DNS.
Once confirmed you can resolve the realm, authentication should now be successful:
> tail follow yes mp-log authd.log
Oct 24 11:20:40 pan_authd_service_req(pan_authd.c:2604): Authd:Trying to remote authenticate user: bryan
Oct 24 11:20:40 pan_authd_service_auth_req(pan_authd.c:1115): AUTH Request <'','','bryan'>
Oct 24 11:20:40 bryan admin is being authed
Oct 24 11:20:40 pan_authd_handle_admin_auths(pan_authd.c:1968): Using auth prof Kerberos for admin bryan
Oct 24 11:20:40 pan_authd_handle_admin_auths(pan_authd.c:2022): shared/Kerberos is auth prof is of type (auth profile)
Oct 24 11:20:40 pan_authd_common_authenticate(pan_authd.c:1554): Authenticating user using service /etc/pam.d/pan_krb5_shared_:kerberos,username bryan
Oct 24 11:20:40 pan_authd_authenticate_service(pan_authd.c:663): authentication succeeded (0)
Oct 24 11:20:40 pan_authd_authenticate_service(pan_authd.c:669): account is valid
Oct 24 11:20:40 authentication succeeded for user <shared,Kerberos,bryan>
Oct 24 11:20:40 pan_authd_process_authresult(pan_authd.c:1258): pan_authd_process_authresult: bryan authresult auth'ed
Oct 24 11:20:40 Request received to unlock shared/Kerberos/bryan
Oct 24 11:20:40 User 'bryan' authenticated. From: 10.16.0.96.
Oct 24 11:20:40 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Oct 24 11:20:40 pan_authd_generate_system_log(pan_authd.c:844): CC Enabled=False
Oct 24 11:20:40 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Oct 24 11:20:40 pan_authd_service_req(pan_authd.c:2610): Authd:get group request
Oct 24 11:20:40 pan_authd_handle_group_req(pan_authd.c:2561): Got user role/adomain / for user bryan
owner: bryan