Kerberos and gssapi
R Howard
rhoward102002 at yahoo.com
Mon Nov 10 06:32:22 EST 2003
All,
I am not sure this is the right forum for this but I figured I would give it a try.
I am trying to help out a programmer who is using the gssapi to create their own code similar to the gss-client and gss-server sample routines. Unfortunately, they are having some problems.
In our setup we are using a Microsoft KDC and a Solaris 8 workstation as a client.
I have managed to compile the gss-server and gss-client sample routines. I have been able execute them without a problem to verify that the Solaris box has been set up correctly - basically that the configuration files are correct.
The problem the programmer is encountering is that the code they have written using the gssapi gets to a point where it dies on a rpc_100029.x (where x is usually 1,2 or 3) error. Usually it is dying because this file does not exist.
Any suggestions or pointers would be appreciated.
Thanks.
R. Howard
---------------------------------
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuarddFrom news at ra.nrl.navy.mil Mon Nov 10 09:26:12 2003
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id hAAEQ9qb027287
for <kerberos at PCH.mit.edu>; Mon, 10 Nov 2003 09:26:12 -0500 (EST)
Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121])
hAAEQ9wZ026614
for <kerberos at MIT.EDU>; Mon, 10 Nov 2003 09:26:09 -0500 (EST)
Received: (from news at localhost)
by ra.nrl.navy.mil (8.11.7p1+Sun/8.11.7) id hAAEQ0e01382
for kerberos at MIT.EDU; Mon, 10 Nov 2003 09:26:00 -0500 (EST)
From: haneym at rcc.on.ca (Mike Haney)
X-Newsgroups: comp.protocols.kerberos
Date: 10 Nov 2003 06:25:57 -0800
Organization: http://groups.google.com
Message-ID: <ed7bb075.0311100625.54453b0b at posting.google.com>
To: kerberos at MIT.EDU
Subject: Pam problem with krb5?
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Mon, 10 Nov 2003 14:26:13 -0000
I've been working to get kerberos v5 authentication working with AD
and have managed to get ticket granting working with local login or
ssh login (I have kerberos logging enabled on W2K and see the ticket
grant success message)... My problem is that no matter how I change
my Pam configuration I still get denied access?
I have followed the MS guide to getting this working but the unix
configuration is very vague in regards to setting up pam... Any
suggestions are greatly appreciated!
Thanks in advance,
Mike
/etc/pam.conf:
login auth sufficient pam_krb5.so
try_first_pass
login auth required pam_unix.so
try_first_pass
login account required pam_unix.so
login password required pam_permit.so
login session required pam_permit.so
/var/log/auth.log:
Nov 10 08:07:13 sisbsd sshd[6899]: (pam_krb5) pam_sm_authenticate:
result for user `krbtest': Please ignore underlying account module
Nov 10 08:07:13 sisbsd sshd[6897]: error: PAM: Authentication failure
Nov 10 08:07:13 sisbsd sshd[6897]: Failed keyboard-interactive/pam for
krbtest from ::1 port 1043 ssh2
/etc/master.passwd:
krbtest:krb5:1004:1004::0:0:krbtest:/home/krbtest:/bin/sh
W2K AD account settings (krbtest):
- User cannot change password
- Password never expires
- Use DES encryption
- Do not require kerberos pre-auth
W2K Event Log:
- EventID 672 Authentication Ticket Granted
- No other events shown (fail or success) in given timeframe
More information about the Kerberos
mailing list