Over the past couple of days I have been troubleshooting a login issue
with one user object - used as an automated login object on 30 lab
machines. Basically, the one user object that had been working just
fine suddenly could no longer log into the ZenWorks Zone - client login
was fine. Started getting a "server certificate or login credentials"
error. All other users worked fine, and other users could log in just
fine to the zone from that workstation. After MUCH messing around I
finally just deleted/re-creatred the user and everything is fine....

That is not the main reason for this post, though. As I worked my way
through the troubleshooting TID and turning on all the logging I could
find - I found a troubling error in the ats.log from the server.

> "2009-10-05 16:47:41,375 WARN authtoksvc.Authenticate init()- SecurityException accessing /etc/CASA/authtoken/svc/auth_mechanisms/Krb5Authenticate/mechanism.settings Exception=java.lang.SecurityException: /etc/CASA/authtoken/svc/jaas.conf (no such file or directory)"

As indicated in this error message -- there is no jaas.conf file in that

I found and tried configuring the jaas.conf file from the templates
directory, but this just caused an error to start showing up in the
catalina.out log: (real server name replaced with (myservername)entry
removed for security)

> "Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is /var/lib/CASA/authtoken/svc/ticket.cache isInitiator true KeyTab is /etc/krb5.keytab refreshKrb5Config is false principal is host/(myservername).edu tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> Acquire TGT from Cache
> Principal is host/(myservername).edu@EXAMPLE.COM
> null credentials from Ticket Cache
> Key for the principal host/(myservername).edu@EXAMPLE.COM not available in /etc/krb5.keytab
> [Krb5LoginModule] authentication failed
> Unable to obtain password from user"

There is also no /etc/krb5.keytab file or folder present on the machine.

the jaas,conf file - as I tried to set it up - contains the following:

> other {
> com.sun.security.auth.module.Krb5LoginModule required
> useTicketCache=true
> ticketCache="/var/lib/CASA/authtoken/svc/ticket.cache"
> useKeyTab=true
> principal="host/(myservername).edu"
> doNotPrompt=true
> keyTab="/etc/krb5.keytab"
> storeKey=true
> debug=true;
> };

I just tried my best and things didn't work.

However, normal login form all of my machines continues to work
apparently "fine". However, I did notice that the "normal" login pause
that occurs after typing in the user name and password - about 10
seconds - shrank to about 4 seconds.

I the kerberos piece of the authentication process essential or not, and
should I have these files on my server?

I am running ZCM 10.2.1 on SLES 10. My user store is Edirectory and I
access a remote (sits in the same room on same subnet) OES2 sp1 Linux
server running on SLES 10 also.

Any guidance on this would be greatly appreciated.