Host Alias
yo timo
bacolod85 at yahoo.com
Mon Mar 24 13:56:54 EST 2003
I have come across a usability issue where users of a network I plan to implement Kerberos on are currently accustomed to host aliases. i.e: typing 'ftp foo' instead of 'ftp foo.my.long.host.name.com.'
Anyone have advice on how to get around using fully qualified hostnames for Kerberos host principals?
Thanks.
-Bacolod
---------------------------------
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!!From wyllys.ingersoll at sun.com Mon Mar 24 19:49:44 2003
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.12.8/8.12.8) with ESMTP id h2P0niFm009674
for <kerberos at PCH.mit.edu>; Mon, 24 Mar 2003 19:49:44 -0500 (EST)
Received: from nwkea-mail-1.sun.com (nwkea-mail-1.sun.com [192.18.42.13])
h2P0nhor002125
for <kerberos at mit.edu>; Mon, 24 Mar 2003 19:49:44 -0500 (EST)
Received: from jurassic.eng.sun.com ([129.146.17.55])
by nwkea-mail-1.sun.com (8.9.3+Sun/8.9.3) with ESMTP id QAA17244;
Mon, 24 Mar 2003 16:49:43 -0800 (PST)
Received: from sun.com (vpn-129-150-16-82.SFBay.Sun.COM [129.150.16.82])
h2P0nfAp319280; Mon, 24 Mar 2003 16:49:42 -0800 (PST)
Message-ID: <3E7FA7A2.4080400 at sun.com>
Date: Mon, 24 Mar 2003 19:49:38 -0500
From: Wyllys Ingersoll <wyllys.ingersoll at sun.com>
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.3) Gecko/20030313
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Ganesh <ganeshv at india.hp.com>
References: <f0532362.0303240732.466a3ccd at posting.google.com>
In-Reply-To: <f0532362.0303240732.466a3ccd at posting.google.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: kerberos at mit.edu
Subject: Re: Configuring kerberos for Solaris
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Tue, 25 Mar 2003 00:49:45 -0000
Ganesh wrote:
> I'm trying to configure kerberos, to authenticate the
> users through Web. I've successfully compiled
> mod_auth_pam.c on Solaris 8 and am able to authenticate
> the users, if I use pam_unix.so.1 in my pam.conf file.
> But if I try to authenticate by using pam_krb5.so.1
> it fails.
>
> I'm using the pam_krb5.so.1 which is shipped along with solaris2.8.
If you are using the pam_krb5 that shipped with Solaris 2.8 then you
also need to be using the SEAM package for Solaris 8 (free download
from www.sun.com). If you go that route, I recommend making sure
you have all the latest pam_krb5 and SEAM related patches.
If you are determined to stick with the MIT Kerberos libraries and not
use the Solaris Kerberos stuff, then you should probably get a different
pam_krb5 module (http://www.fcusack.com is one such module).
-Wyllys
>
> A snap shot of my pam.conf file :
>
> # The commented line works fine
> #
> httpd auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> #httpd auth required /usr/lib/security/$ISA/pam_unix.so.1
>
> httpd account sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> #httpd account required /usr/lib/security/$ISA/pam_unix.so.1
>
> My /etc/krb5/krb5.conf file ..
>
> [libdefaults]
> default_realm = INDIA.HP.COM
> default_tkt_enctypes = DES-CBC-CRC
> default_tgs_enctypes = DES-CBC-CRC
> ccache_type = 2
>
> [realms]
> INDIA.HP.COM = {
> kdc = nt40239.india.hp.com:88
> admin_server = nt40239.india.hp.com:749
> default_domain = india.hp.com
> }
>
> [domain_realm]
> .india.hp.com = INDIA.HP.COM
> india.hp.com = INDIA.HP.COM
>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
>
> I've also updated the /etc/services file to look into my
> KDC server.
>
> My kDC server(Linux server) is up and running as I'm
> able to authenticate the users, with the same KDC if
> the client is HP-Ux m/c.
>
> Is that I've to make any changes in my krb5.conf file or
> have to rebuild the pam_krb5.so file ? Please give your
> inputs!
>
> TIA,
> Ganesh.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list