Host Alias

yo timo bacolod85 at yahoo.com
Mon Mar 24 13:56:54 EST 2003 

I have come across a usability issue where users of a network I plan to implement Kerberos on are currently accustomed to host aliases. i.e: typing 'ftp foo' instead of 'ftp foo.my.long.host.name.com.'

Anyone have advice on how to get around using fully qualified hostnames for Kerberos host principals?

Thanks.

-Bacolod



---------------------------------
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!!From wyllys.ingersoll at sun.com Mon Mar 24 19:49:44 2003
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	[18.7.21.83])
	by pch.mit.edu (8.12.8/8.12.8) with ESMTP id h2P0niFm009674
	for <kerberos at PCH.mit.edu>; Mon, 24 Mar 2003 19:49:44 -0500 (EST)
Received: from nwkea-mail-1.sun.com (nwkea-mail-1.sun.com [192.18.42.13])
	h2P0nhor002125
	for <kerberos at mit.edu>; Mon, 24 Mar 2003 19:49:44 -0500 (EST)
Received: from jurassic.eng.sun.com ([129.146.17.55])
	by nwkea-mail-1.sun.com (8.9.3+Sun/8.9.3) with ESMTP id QAA17244;
	Mon, 24 Mar 2003 16:49:43 -0800 (PST)
Received: from sun.com (vpn-129-150-16-82.SFBay.Sun.COM [129.150.16.82])
	h2P0nfAp319280;	Mon, 24 Mar 2003 16:49:42 -0800 (PST)
Message-ID: <3E7FA7A2.4080400 at sun.com>
Date: Mon, 24 Mar 2003 19:49:38 -0500
From: Wyllys Ingersoll <wyllys.ingersoll at sun.com>
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.3) Gecko/20030313
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Ganesh <ganeshv at india.hp.com>
References: <f0532362.0303240732.466a3ccd at posting.google.com>
In-Reply-To: <f0532362.0303240732.466a3ccd at posting.google.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: kerberos at mit.edu
Subject: Re: Configuring kerberos for Solaris
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Tue, 25 Mar 2003 00:49:45 -0000

Ganesh wrote:
> I'm trying to configure kerberos, to authenticate the
> users through Web. I've successfully compiled
> mod_auth_pam.c on Solaris 8 and am able to authenticate
> the users, if I use pam_unix.so.1 in my pam.conf file.
> But if I try to authenticate by using pam_krb5.so.1
> it fails.
> 
> I'm using the pam_krb5.so.1 which is shipped along with solaris2.8.

If you are using the pam_krb5 that shipped with Solaris 2.8 then you
also need to be using the SEAM package for Solaris 8 (free download
from www.sun.com).   If you go that route, I recommend making sure
you have all the latest pam_krb5 and SEAM related patches.

If you are determined to stick with the MIT Kerberos libraries and not
use the Solaris Kerberos stuff, then you should probably get a different
pam_krb5 module (http://www.fcusack.com is one such module).

-Wyllys

> 
> A snap shot of my pam.conf file :
> 
> # The commented line works fine
> #
> httpd   auth sufficient   /usr/lib/security/$ISA/pam_krb5.so.1
> #httpd   auth required   /usr/lib/security/$ISA/pam_unix.so.1
> 
> httpd   account  sufficient     /usr/lib/security/$ISA/pam_krb5.so.1
> #httpd   account required       /usr/lib/security/$ISA/pam_unix.so.1
> 
> My /etc/krb5/krb5.conf file ..
> 
> [libdefaults]
>    default_realm = INDIA.HP.COM
>    default_tkt_enctypes = DES-CBC-CRC
>    default_tgs_enctypes = DES-CBC-CRC
>    ccache_type = 2
> 
> [realms]
>    INDIA.HP.COM = {
>       kdc = nt40239.india.hp.com:88
>       admin_server = nt40239.india.hp.com:749
>       default_domain = india.hp.com
> }
> 
> [domain_realm]
>  .india.hp.com = INDIA.HP.COM
>  india.hp.com = INDIA.HP.COM
> 
> [logging]
>         kdc = FILE:/var/log/krb5kdc.log
>         admin_server = FILE:/var/log/kadmin.log
>         default = FILE:/var/log/krb5lib.log
> 
> I've also updated the /etc/services file to look into my
> KDC server.
> 
> My kDC server(Linux server) is up and running as I'm 
> able to authenticate the users, with the same KDC if 
> the client is HP-Ux m/c.
> 
> Is that I've to make any changes in my krb5.conf file or
> have to rebuild the pam_krb5.so file ? Please give your
> inputs!
> 
> TIA,
> Ganesh.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list