Configuring Kerberos for Solaris

Ganesh Viswanathan ganeshv at india.hp.com
Tue Mar 25 11:38:18 EST 2003 

Thanks for the right pointer.
Now I've installed and configured SEAM client on
my solaris m/c. But I'm still not able to authenticate
the users. Though my web request authentication
still fails, but the new pam_krb5 tries to reach the
KDC, as it logs the following message whenever
I make a request to my KDC.

#/var/log/krb5kdc.log ...
Mar 25 15:56:16 KDC.india.hp.com krb5kdc[1059](info): AS_REQ (1 etypes {1}) client.india.hp.com(88): ISSUE: authtime 1048587976, etypes {rep=1 tkt=16
ses=1}, user1 at INDIA.HP.COM for krbtgt/INDIA.HP.COM at INDIA.HP.COM

This doesn't used to happen with my old pam_krb5.

Should I've to do anything more than what is mentioned
in the Installation and Configuration Guide of SEAM.

Thanks and Regards,
Ganesh.

Wyllys Ingersoll wrote:

> Adams, Ann (A.M.) wrote:
> > Ok,
> >
> > I have to ask, does SUN have a kerberized hpptd?
>
> No, the person who  posed the question was trying to configure apache to use
> PAM to perform the authentication via Kerberos.    This is NOT the same
> as having a truly "Kerberized" http daemon.
>
> Having "proper" Kerberos (or GSSAPI) authentication to the web server requires
> a browser which also supports the authentication protocol and currently, as far as I
> know, only Microsofts IE supports native GSSAPI authentication and it only works
> when talking to an IIS web server.
>
> -Wyllys
>
>  > I thought they only had the standard network services.  I have not seen a reference
> by either
>  > SUN, HP, or MIT to a kerberized httpd. Has SUN done any development on web
> authentication via Kerberos?
> >
> > I was looking around some of the university sites to see if there was a kerberized web authentication modules available for testing.  My impression was that they had been written but nothing publicly available to test.
> >
> > Dartmouth had publicly available a Kerberos IV module, but I didn't see anything for Kerberos V.  CUSSP is a perl5 module from Cornell University that is referenced below.  Both of these are well documented and clear, but it doesn't appear to continue into the Kerberos V environment.
> >
> >  excerpt from Dartmouth web site below:....
> >               Kerberos authentication can be invoked from a CGI script.
> >               There are Perl interfaces to do this.
> >               The example below shows a CGI that authenticates the user,
> >                then displays the name(s) and information from the
> >                ticket(s) that were generated.
> >
> >               In Perl, you can use the GetK4Ticket function to validate a user.
> >               This function is defined in the CUSSP library.
> >
> >               GetK4Ticket is defined as:
> >               ($rc, $em, %tckt) = CUSSP::GetK4Ticket("WWW-agent",
> >                "WWW", $cgi->remote_addr(), undef, $ENV{'REMOTE_PORT'});
> >
> >
> > If anything I have stated in incorrect, I request correction.  If there are other resources I should be looking at please indicate.
> >
> >
> > regards,
> > Ann Adams
> > Computer Architect/SIE
> > Ford Motor Company
> >
> >
> >
> > -----Original Message-----
> > From: Wyllys Ingersoll [mailto:wyllys.ingersoll at sun.com]
> > Sent: Monday, March 24, 2003 7:50 PM
> > To: Ganesh
> > Cc: kerberos at mit.edu
> > Subject: Re: Configuring kerberos for Solaris
> >
> >
> > Ganesh wrote:
> >
> >>I'm trying to configure kerberos, to authenticate the
> >>users through Web. I've successfully compiled
> >>mod_auth_pam.c on Solaris 8 and am able to authenticate
> >>the users, if I use pam_unix.so.1 in my pam.conf file.
> >>But if I try to authenticate by using pam_krb5.so.1
> >>it fails.
> >>
> >>I'm using the pam_krb5.so.1 which is shipped along with solaris2.8.
> >
> >
> > If you are using the pam_krb5 that shipped with Solaris 2.8 then you
> > also need to be using the SEAM package for Solaris 8 (free download
> > from www.sun.com).   If you go that route, I recommend making sure
> > you have all the latest pam_krb5 and SEAM related patches.
> >
> > If you are determined to stick with the MIT Kerberos libraries and not
> > use the Solaris Kerberos stuff, then you should probably get a different
> > pam_krb5 module (http://www.fcusack.com is one such module).
> >
> > -Wyllys
> >
> >
> >>A snap shot of my pam.conf file :
> >>
> >># The commented line works fine
> >>#
> >>httpd   auth sufficient   /usr/lib/security/$ISA/pam_krb5.so.1
> >>#httpd   auth required   /usr/lib/security/$ISA/pam_unix.so.1
> >>
> >>httpd   account  sufficient     /usr/lib/security/$ISA/pam_krb5.so.1
> >>#httpd   account required       /usr/lib/security/$ISA/pam_unix.so.1
> >>
> >>My /etc/krb5/krb5.conf file ..
> >>
> >>[libdefaults]
> >>   default_realm = INDIA.HP.COM
> >>   default_tkt_enctypes = DES-CBC-CRC
> >>   default_tgs_enctypes = DES-CBC-CRC
> >>   ccache_type = 2
> >>
> >>[realms]
> >>   INDIA.HP.COM = {
> >>      kdc = nt40239.india.hp.com:88
> >>      admin_server = nt40239.india.hp.com:749
> >>      default_domain = india.hp.com
> >>}
> >>
> >>[domain_realm]
> >> .india.hp.com = INDIA.HP.COM
> >> india.hp.com = INDIA.HP.COM
> >>
> >>[logging]
> >>        kdc = FILE:/var/log/krb5kdc.log
> >>        admin_server = FILE:/var/log/kadmin.log
> >>        default = FILE:/var/log/krb5lib.log
> >>
> >>I've also updated the /etc/services file to look into my
> >>KDC server.
> >>
> >>My kDC server(Linux server) is up and running as I'm
> >>able to authenticate the users, with the same KDC if
> >>the client is HP-Ux m/c.
> >>
> >>Is that I've to make any changes in my krb5.conf file or
> >>have to rebuild the pam_krb5.so file ? Please give your
> >>inputs!
> >>
> >>TIA,
> >>Ganesh.
> >>________________________________________________
> >>Kerberos mailing list           Kerberos at mit.edu
> >>https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list