Linux Client fails logon on Solaris server

Arun Perinkolam arunp at sun.com
Mon Aug 2 19:36:07 EDT 2004 

> > Firstly, have you created a valid kerberos principal
> > in the Solaris 9 KDC database for the ldap user in question ?
>
> The user has following DN:
> uid=bob,ou=people,ou=sale,ou=examplecity,dc=example,dc=com and the principal
> is bob/sale.examplecity.example.com.
> The mapping looks like
> dsmatching-pattern: ${Principal}
> dsmatching-regexp: (.*)/(.*).(.*).example.com at REALM
> dsmappeddn: uid=$1,ou=people,ou=$2,ou=$3,dc=example,dc=com
>

On the S9 KDC,
What does a #kadmin.local -q "getprinc bob at REALM" reveal ?

If there is no principal for bob, you would need to do:

bash-2.05b# kadmin.local
Authenticating as principal root/admin at REALM with password.
kadmin.local:  addprinc bob
<enter ldap pwd for bob>


> >
> > And for pam-kerberos to work correctly, you would need to setup
> > pam.conf correctly for the required service (which in this case
> > is login, I presume) on the client.
>
> I did that too. The lines for authentication look like
> (...)
> auth    sufficient    pam_unix.so likeauth nullok
> auth    sufficient pam_krb5.so use_first_pass
> (...)


If you want to authenticate using ldap, I think you would also
need a PAM ldap module on the stack, marked as
requisite/required.

And you might want to change the control flag for pam_unix
to 'required'/'requisite' (as the case maybe), since with 'sufficient'
if successful, it will return immediately without doing pam_krb5.

>
> I'm not sure if the thing with the host principal worked well. Do I always
> need a principal for the host and what's the easiest way to create a
> principal for a Linux box on a Solaris KDC?


Which pam-kerberos module are you using ?

If it does TGT verification you would need
the host svc principal in your local keytab
on the Linux box.

On the s9 KDC, do
bash-2.05b# kadmin.local
Authenticating as principal root/admin at REALM with password.
kadmin.local:  addprinc -randkey host/<fqdn of client>

Add this principal to a tmp keytab on the KDC and securely transfer
this to your linux client.

Arun.

>
> Thanks for answers,
> Johannes
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list