Solaris 8 PAM and MIT Kerberos V

Dan Karlsson dan.karlsson at inceritus.com
Fri Oct 4 06:38:13 EDT 2002 

I'm trying to get the standard kerberos client on Solaris 8 to connect
to an MIT KDC. I'm able to successfully run the k-commands on the
client. The trouble starts when I'm trying to use the kerberos pam
included with solaris.

MIT Kerberos 1.2.6
Solaris 8 Generic_108528-16

Regards,
Dan Karlsson

# klist
klist: No credentials cache file found while setting cache flags 
(ticket cache /tmp/krb5cc_100)
# su - daka
Password:
su: Sorry
# klist
Ticket cache: /tmp/krb5cc_100
Default principal: daka at XX.YY

Valid starting                       Expires                       
Service principal
Fri Oct 04 11:13:48 2002  Fri Oct 04 21:13:48 2002  krbtgt/XX.YY at XX.YY
         renew until Fri Oct 11 11:13:48 2002

krb5kdc.log
--snip--
Oct 04 11:12:05 stig krb5kdc[21856](info): AS_REQ (1 etypes {1}) 
10.8.59.253(0): ISSUE: authtime 1033722725, etypes {rep=1 tkt=16 
ses=1}, daka at XX.YY for krbtgt/XX.YY at XX.YY
Oct 04 11:12:05 stig krb5kdc[21856](info): AS_REQ (1 etypes {1}) 
10.8.59.253(0): ISSUE: authtime 1033722725, etypes {rep=1 tkt=16 
ses=1}, daka at XX.YY for krbtgt/XX.YY at XX.YY
--snip--

/etc/krb5/krb5.conf
[libdefaults]
     ticket_lifetime = 600
     default_realm = XX.YY
     default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
     default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
     XX.YY = {
         kdc = kerberos.xx.yy:88
         kdc = kerberos-1.xx.yy:88
         admin_server = kerberos.xx.yy:749
         default_domain = xx.yy
     }

[domain_realm]
     .xx.yy = XX.YY
     xx.yy = XX.YY

[appdefaults]
         kinit = {
                 renewable = true
                 forwardable= true
         }

/etc/pam.conf
#
#ident  "@(#)pam.conf   1.16    01/01/24 SMI"
#
# Copyright (c) 1996-2000 by Sun Microsystems, Inc.
# All rights reserved.
#
# PAM configuration
#
# Authentication management
#
login   auth required   /usr/lib/security/$ISA/pam_unix.so.1
login   auth required   /usr/lib/security/$ISA/pam_dial_auth.so.1
#
rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
rlogin  auth required   /usr/lib/security/$ISA/pam_unix.so.1
#
dtlogin auth required   /usr/lib/security/$ISA/pam_unix.so.1
#
rsh     auth required   /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other   auth required   /usr/lib/security/$ISA/pam_unix.so.1
#
# Account management
#
login   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
login   account required        /usr/lib/security/$ISA/pam_projects.so.1
login   account required        /usr/lib/security/$ISA/pam_unix.so.1
#
dtlogin account requisite       /usr/lib/security/$ISA/pam_roles.so.1
dtlogin account required        /usr/lib/security/$ISA/pam_projects.so.1
dtlogin account required        /usr/lib/security/$ISA/pam_unix.so.1
#
other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
other   account required        /usr/lib/security/$ISA/pam_projects.so.1
other   account required        /usr/lib/security/$ISA/pam_unix.so.1
#
# Session management
#
other   session required        /usr/lib/security/$ISA/pam_unix.so.1
#
# Password management
#
other   password required       /usr/lib/security/$ISA/pam_unix.so.1
dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
rlogin  auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 
try_first_pass
login   auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 
try_first_pass
dtlogin auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 
try_first_pass
other   auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 
try_first_pass
dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
other   account optional /usr/lib/security/$ISA/pam_krb5.so.1
other   session optional /usr/lib/security/$ISA/pam_krb5.so.1
other   password optional /usr/lib/security/$ISA/pam_krb5.so.1 
try_first_pass
#
# Support for Solaris PPP (sppp)
ppp     auth    required        /usr/lib/security/$ISA/pam_unix.so.1
ppp     auth    required        
/usr/lib/security/$ISA/pam_dial_auth.so.1
ppp     account requisite       /usr/lib/security/$ISA/pam_roles.so.1
ppp     account required        /usr/lib/security/$ISA/pam_projects.so.1
ppp     account required        /usr/lib/security/$ISA/pam_unix.so.1
ppp     session required        /usr/lib/security/$ISA/pam_unix.so.1

/etc/hosts
127.0.0.1       localhost
10.8.59.253     oskar.xx.yy  oskar   loghost

/etc/nsswitch.conf
#
# /etc/nsswitch.files:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" 
transports.

passwd:     files
group:      files
hosts:      dns files
ipnodes:    files
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system 
will
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
sendmailvars:   files
printers:       user files

auth_attr:  files
prof_attr:  files
project:    files

More information about the Kerberos mailing list