kerberos slow to authenticate and simple firewall syntax question

Hello Everyone, Me and a few coworkers are looking to get off the fedora train and upgrade to suse, but i'm having a few issues that I can't seem to resolve. First, kerberos is slow to authenticate. It works, but it takes about 3 seconds to accept a good password. When kerberos denies a bad password it is instant. I'm using minimum uid at 500, but it still checks kerberos when loging in as root (according to /var/log/messages). Here is a debug log when I login via ssh as a non-root user. Also, what is the syntax for setting susefirewall to allow traffic only from one subnet. I see how to limit ports, but not ports and subnets. Thank You, jeff Jul 14 16:52:07 david sshd[6369]: pam_krb5: get_config() called Jul 14 16:52:07 david sshd[6369]: pam_krb5: Version: pam_krb5 1.3-rc8, @(#)$Revision: 1.29 $ Jul 14 16:52:07 david sshd[6369]: pam_krb5: If you have any problem, mail to pam-krb5-users@lists.sour ceforge.net Jul 14 16:52:07 david sshd[6369]: pam_krb5: Creating a ticket with addresses Jul 14 16:52:07 david sshd[6369]: pam_krb5: krb4_convert false Jul 14 16:52:07 david sshd[6369]: pam_krb5: native_krb4_tgt false Jul 14 16:52:07 david sshd[6369]: pam_krb5: password-changing banner set to `Kerberos 5' Jul 14 16:52:07 david sshd[6369]: pam_krb5: ccache directory set to `/tmp' Jul 14 16:52:07 david sshd[6369]: pam_krb5: making tickets forwardable Jul 14 16:52:07 david sshd[6369]: pam_krb5: keytab file name set to `/etc/krb5.keytab' Jul 14 16:52:07 david sshd[6369]: pam_krb5: setting heimdal kdc timeout to 3 Jul 14 16:52:07 david sshd[6369]: pam_krb5: will only attempt to authenticate users when UID >= 0 Jul 14 16:52:07 david sshd[6369]: pam_krb5: making tickets proxiable Jul 14 16:52:07 david sshd[6369]: pam_krb5: setting renewable lifetime to 36000 Jul 14 16:52:07 david sshd[6369]: pam_krb5: required_tgs set to `' Jul 14 16:52:07 david sshd[6369]: pam_krb5: use_authtok false Jul 14 16:52:07 david sshd[6369]: pam_krb5: user_check true Jul 14 16:52:07 david sshd[6369]: pam_krb5: validate false Jul 14 16:52:07 david sshd[6369]: pam_krb5: warn_period 604800 Jul 14 16:52:07 david sshd[6369]: pam_krb5: old_password_from_auth false Jul 14 16:52:07 david sshd[6369]: pam_krb5: pam_sm_acct_mgmt() called Jul 14 16:52:07 david sshd[6369]: pam_krb5: username: `jb715' Jul 14 16:52:07 david sshd[6369]: pam_krb5: module_stash_name: (pam_krb5_jb715@NET.YALE.EDU_ret_stash) Jul 14 16:52:07 david sshd[6369]: pam_krb5: Can't get data from prior call to pam_sm_authenticate() Jul 14 16:52:07 david sshd[6369]: pam_krb5: krb5_kuserok(jb715, jb715) = 1 Jul 14 16:52:16 david sshd[6369]: pam_krb5: krb5_get_in_tkt(jb715,krbtgt/NET.YALE.EDU@NET.YALE.EDU) wi th bogus decryption functions = -1765328 Jul 14 16:52:16 david sshd[6369]: pam_krb5: pam_sm_acct_mgmt() returning 0 (Success) Jul 14 16:52:16 david sshd[6369]: Accepted publickey for jb715 from ::ffff:128.36.236.67 port 51805 ss h2 Jul 14 16:52:16 david sshd[6371]: pam_krb5: get_config() called Jul 14 16:52:16 david sshd[6371]: pam_krb5: Version: pam_krb5 1.3-rc8, @(#)$Revision: 1.29 $ Jul 14 16:52:16 david sshd[6371]: pam_krb5: If you have any problem, mail to pam-krb5-users@lists.sour ceforge.net Jul 14 16:52:16 david sshd[6371]: pam_krb5: Creating a ticket with addresses Jul 14 16:52:16 david sshd[6371]: pam_krb5: krb4_convert false Jul 14 16:52:16 david sshd[6371]: pam_krb5: native_krb4_tgt false Jul 14 16:52:16 david sshd[6371]: pam_krb5: password-changing banner set to `Kerberos 5' Jul 14 16:52:16 david sshd[6371]: pam_krb5: ccache directory set to `/tmp' Jul 14 16:52:16 david sshd[6371]: pam_krb5: making tickets forwardable Jul 14 16:52:16 david sshd[6371]: pam_krb5: keytab file name set to `/etc/krb5.keytab' Jul 14 16:52:16 david sshd[6371]: pam_krb5: setting heimdal kdc timeout to 3 Jul 14 16:52:16 david sshd[6371]: pam_krb5: will only attempt to authenticate users when UID >= 0 Jul 14 16:52:16 david sshd[6371]: pam_krb5: making tickets proxiable Jul 14 16:52:16 david sshd[6371]: pam_krb5: setting renewable lifetime to 36000 Jul 14 16:52:16 david sshd[6371]: pam_krb5: required_tgs set to `' Jul 14 16:52:16 david sshd[6371]: pam_krb5: use_authtok false Jul 14 16:52:16 david sshd[6371]: pam_krb5: user_check true Jul 14 16:52:16 david sshd[6371]: pam_krb5: validate false Jul 14 16:52:16 david sshd[6371]: pam_krb5: warn_period 604800 Jul 14 16:52:16 david sshd[6371]: pam_krb5: old_password_from_auth false Jul 14 16:52:16 david sshd[6371]: pam_krb5: pam_sm_setcred() called Jul 14 16:52:16 david sshd[6371]: pam_krb5: module_stash_name: (pam_krb5_jb715@NET.YALE.EDU_cred_stash ) Jul 14 16:52:16 david sshd[6371]: pam_krb5: Try to get KRB5CCNAME from PAM with pam_getenv() Jul 14 16:52:16 david sshd[6371]: pam_krb5: `jb715' has uid 25730, gid 25730 Jul 14 16:52:16 david sshd[6371]: pam_krb5: call pam_getenv() Jul 14 16:52:16 david sshd[6371]: pam_krb5: pam_getenv() can't get KRB5CCNAME from PAM Jul 14 16:52:16 david sshd[6371]: pam_krb5: Kerberos 5 credential retrieval failed for `jb715', user i s probably local Jul 14 16:52:16 david sshd[6371]: pam_krb5: pam_sm_setcred returning 15 (Authentication service cannot retrieve user credentials) Jul 14 16:52:16 david sshd[6371]: pam_krb5: get_config() called Jul 14 16:52:16 david sshd[6371]: pam_krb5: Version: pam_krb5 1.3-rc8, @(#)$Revision: 1.29 $ Jul 14 16:52:16 david sshd[6371]: pam_krb5: If you have any problem, mail to pam-krb5-users@lists.sour ceforge.net Jul 14 16:52:16 david sshd[6371]: pam_krb5: Creating a ticket with addresses Jul 14 16:52:16 david sshd[6371]: pam_krb5: krb4_convert false Jul 14 16:52:16 david sshd[6371]: pam_krb5: native_krb4_tgt false Jul 14 16:52:16 david sshd[6371]: pam_krb5: password-changing banner set to `Kerberos 5' Jul 14 16:52:16 david sshd[6371]: pam_krb5: ccache directory set to `/tmp' Jul 14 16:52:16 david sshd[6371]: pam_krb5: making tickets forwardable Jul 14 16:52:16 david sshd[6371]: pam_krb5: keytab file name set to `/etc/krb5.keytab' Jul 14 16:52:16 david sshd[6371]: pam_krb5: setting heimdal kdc timeout to 3 Jul 14 16:52:16 david sshd[6371]: pam_krb5: will only attempt to authenticate users when UID >= 0 Jul 14 16:52:16 david sshd[6371]: pam_krb5: making tickets proxiable Jul 14 16:52:16 david sshd[6371]: pam_krb5: setting renewable lifetime to 36000 Jul 14 16:52:16 david sshd[6371]: pam_krb5: required_tgs set to `' Jul 14 16:52:16 david sshd[6371]: pam_krb5: use_authtok false Jul 14 16:52:16 david sshd[6371]: pam_krb5: user_check true Jul 14 16:52:16 david sshd[6371]: pam_krb5: validate false Jul 14 16:52:16 david sshd[6371]: pam_krb5: warn_period 604800 Jul 14 16:52:16 david sshd[6371]: pam_krb5: old_password_from_auth false Jul 14 16:52:16 david sshd[6371]: pam_krb5: pam_sm_setcred() called Jul 14 16:52:16 david sshd[6371]: pam_krb5: module_stash_name: (pam_krb5_jb715@NET.YALE.EDU_cred_stash ) Jul 14 16:52:16 david sshd[6371]: pam_krb5: Try to get KRB5CCNAME from PAM with pam_getenv() Jul 14 16:52:16 david sshd[6371]: pam_krb5: `jb715' has uid 5730, gid 2730 Jul 14 16:52:16 david sshd[6371]: pam_krb5: call pam_getenv() Jul 14 16:52:16 david sshd[6371]: pam_krb5: pam_getenv() can't get KRB5CCNAME from PAM Jul 14 16:52:16 david sshd[6371]: pam_krb5: Kerberos 5 credential retrieval failed for `jb715', user i s probably local Jul 14 16:52:16 david sshd[6371]: pam_krb5: pam_sm_setcred returning 15 (Authentication service cannot retrieve user credentials)