(Sun Enterprise Authentication Module) SEAM

Muhammed Reahan reahan2001 at yahoo.com
Fri Aug 8 10:33:22 EDT 2003

Topic (Sun Enterprise Authentication Module) SEAM Authentication On clients
Hello sir
I am using SEAM on 5 workstation. Four system are clients and 5th is Server
I  have a little problem while authenticating my clients.
Most of the time server is running. But some time due to Network cable
or some other reasons Server(Master KDC ) is not available So my workstations
waits  almost 5 minutes. SO for five minutes workstations are in hang sort of state.
You can not do any thing. Actually what I think that they are continuously
checking for the availability of master KDC.
I want to reduce the default time that a workstation waits for KDC.
So Is there any way? That I can handle this problem.
I will be very thankful to you.
>From Muhammad Rehan
Bahria University Islamabad

Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design softwareeFrom balsa at rit.bme.hu Sat Aug  9 08:55:26 2003
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	by pch.mit.edu (8.12.8p1/8.12.8) with ESMTP id h79CtNk0023292
	for <kerberos at PCH.mit.edu>; Sat, 9 Aug 2003 08:55:25 -0400 (EDT)
Received: from smtp.rit.bme.hu (pdc.rit.bme.hu [])
	for <kerberos at mit.edu>; Sat, 9 Aug 2003 08:55:22 -0400 (EDT)
Received: from [] (helo=rit.bme.hu)
	by smtp.rit.bme.hu with asmtp (Exim 3.35 #1 (Debian))
	id 19lTFQ-0008Jc-00; Sat, 09 Aug 2003 14:55:05 +0200
Message-ID: <3F34EF27.2010806 at rit.bme.hu>
Date: Sat, 09 Aug 2003 14:55:03 +0200
From: Balazs GAL <balsa at rit.bme.hu>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; hu-HU; rv:1.4) Gecko/20030624
X-Accept-Language: hu, en-US
MIME-Version: 1.0
To: Tim Mooney <mooney at dogbert.cc.ndsu.NoDak.edu>
References: <D24C104C-C692-11D7-9631-000393CCB774 at gmu.edu>
	<tsl3cghfgwu.fsf at konishi-polis.mit.edu>
	<Pine.OSF.4.53.0308041345260.15578 at dogbert.cc.ndsu.NoDak.edu>
In-Reply-To: <Pine.OSF.4.53.0308041345260.15578 at dogbert.cc.ndsu.NoDak.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-MailScanner-Information: Please contact the ISP for more information
X-MailScanner: Found to be clean
cc: kerberos at mit.edu
Subject: Re: which krb5 PAM module on Solaris 8?
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Sat, 09 Aug 2003 12:55:26 -0000

Tim Mooney írta:

>>PAM has hooks for this; they work about as well as the rest of PAM.
> In your opinion, how well is that?

I recommend that use nss groups as the source db of the authorization, 
and use pam_access for authorization.

> As you can see, though, to fully function within this system, I'm in need
> of a PAM module that can essentially do "username conversion" as part of
> the authentication phase, because what a user supplies at the telnet
> prompt as their username may not be what their actual underlying
> identifier is on the system (and it may not be what is used as part of
> Kerberos 5 authentication, so the "username conversion" needs to happen
> *in* the authentication phase)
> It's my understanding that the PAM API supports this feature (i.e. who
> you supply at a login prompt may be different from your underlying ID on
> the box),
> but most PAM modules don't bother to call whatever function it
> is that PAM has that does the username conversion.  I'm not (yet) a PAM
> guru, though, so I could be wildly mistaken.

pam don't have such a function. The pam modules uses PAM_USER as 
username, and you can preset or alter PAM_USER from any app or from a 
pam module.
But it's true, that it is not a common usage.

One sollution may be, that you write a pam module which promt for the
username (it will get Tim.Mooney), then make a lookup in ldap and 
convert it to POSIX username (mooney) and store it as PAM_USER.

I saw such a module and with well written pam aware application it can work.
The main problem can be with it, that e.g the application will get the 
username itself, and store it internaly (independent from pam) and then 
try to use it as POSIX user name (e.g pam aware poppasswd).

> That's why I believe I need a source-available pam_krb5 module for
> authentication, instead of going with something like SEAM's authentication
> module.  If I'm wrong, I would love to hear about it.

No, the problems here are not with pam modules, they will simple use
PAM_USER, and if you alter it with a preexistent pam module, then it
works well.
The problems are here with the application.

So even if you write your own pam_krb5, then you will have problems with
apps (and Solaris have many broken pam aware application).

> For the particular Solaris box in question, it's not currently doing the
> electronic ID to POSIX username conversion anyway, so it's not fully
> functioning as part of the Hurderos system right now.

I strongly recommend that dont use anywhere the "Hurderos IAA usernames".

>  Users that want to
> authenticate to that system are required to know and use their POSIX
> username.

Yes, but it will work. :)

> Tim


More information about the Kerberos mailing list