Solaris using Kerberos

Douglas E. Engert deengert at anl.gov
Wed Dec 8 11:00:05 EST 2004 


David A Flores wrote:

> Help anyone,
> We are using a Windows domain controller as a KDC and we are trying to
> authenticate a Solaris 9.0 OS box using Kerberos.  The following is the
> command we use to create the keytab file:
> 
> ktpass -princ host/dean19.uthsch.edu at UTHSCU.EDU -mapuser dean19 -pass * -out
> c:\dean19.keytab

You may need to specify -kvno  but see below.  You may also need the +DesOnly.

It could also be a des-cbc-crc vs des-cbc-md5 (W2k will use ctc, W2003 will use md5)

> 
> Once we create the keytab file we send it to the sever via ssh.  Attached
> are the pam.conf file and the krb5.conf that we configured.  One the
> computer called dean19 we ran the ktutil
> 
> rkt /etc/krb5/dean.keytab
> wkt /etc/krb5/krb5.keytab
> 
> After the rkt and the wkt commands we do a list and it shows a "slot KVNO
> Principal"
> 
> We then validate the server's ability to communicate with the MS Kerberos
> Domain Controller by requesting a Ticket Granting Ticket using kinit.
> 
> We then use klist to verify that a TGT has been issued.
> 
> But when we try to login to the box we get the following error.
> 
> Dec  7 16:27:38 dean19 login: [ID 537602 auth.error] PAM-KRB5 (auth):
> krb5_verify_init_creds failed: Key table entry not found
> 
> 
> We tried it on 2 solaris machines and we are getting the same error.  Does
> anyone know why this might be happening?  
> 
If you have the MIT kvno command try it to see what the AD has for a kvno:

  kvno host/dean19.uthsch.edu at UTHSCU.EDU


Also try the klist -k -t -K /etc/krb5/krb5.keytab (MIT or SEAM)
to see what the keytab has and what enctypes it has.
(Don't send this as it exposes the key.)

Another way to do this at least with the MIT code is to use the
ktutil addent, that will let you add an entry  with the kvno, enctype
and key or key via a password. So you dont transfer the output of
the ktpass. (If you do this with the password, you ned to
add the salt. If you want to try this I will send the instructions.)




> 
> 
> David Flores
> Medical School Information Technology
> System Analyst II
> 713-500-5211
> 

> ------------------------------------------------------------------------
> 
> #
> #ident	"@(#)pam.conf	1.20	02/01/23 SMI"
> #
> # Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
> # Use is subject to license terms.
> #
> # PAM configuration
> #
> # Unless explicitly defined, all services use the modules
> # defined in the "other" section.
> #
> # Modules are defined with relative pathnames, i.e., they are
> # relative to /usr/lib/security/$ISA. Absolute path names, as
> # present in this file in previous releases are still acceptable.
> #
> # Authentication management
> #
> # login service (explicit because of pam_dial_auth)
> #
> login	auth sufficient		pam_krb5.so.1 try_first_pass
> login	auth requisite		pam_authtok_get.so.1
> login	auth required		pam_dhkeys.so.1
> login	auth required		pam_unix_auth.so.1
> login	auth required		pam_dial_auth.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin	auth sufficient		pam_rhosts_auth.so.1
> rlogin	auth requisite		pam_authtok_get.so.1
> rlogin	auth required		pam_dhkeys.so.1
> rlogin	auth required		pam_unix_auth.so.1
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> rsh	auth sufficient		pam_rhosts_auth.so.1
> rsh	auth required		pam_unix_auth.so.1
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> ppp	auth requisite		pam_authtok_get.so.1
> ppp	auth required		pam_dhkeys.so.1
> ppp	auth required		pam_unix_auth.so.1
> ppp	auth required		pam_dial_auth.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authenctication
> #
> other	auth requisite		pam_authtok_get.so.1
> other	auth required		pam_dhkeys.so.1
> other	auth sufficient		pam_unix_auth.so.1
> #
> # passwd command (explicit because of a different authentication module)
> #
> passwd	auth required		pam_passwd_auth.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron	account required	pam_projects.so.1
> cron	account required	pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> #
> other	account requisite	pam_roles.so.1
> other	account required	pam_projects.so.1
> other	account required	pam_unix_account.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> #
> other	session required	pam_unix_session.so.1
> #
> # Default definition for  Password management
> # Used when service name is not explicitly mentioned for password management
> #
> other	password required	pam_dhkeys.so.1
> other	password requisite	pam_authtok_get.so.1
> other	password requisite	pam_authtok_check.so.1
> other	password required	pam_authtok_store.so.1
> #
> # Support for Kerberos V5 authentication (uncomment to use Kerberos)
> #
> #rlogin		auth optional		pam_krb5.so.1 try_first_pass
> #login		auth optional		pam_krb5.so.1 try_first_pass
> #other		auth optional		pam_krb5.so.1 try_first_pass
> #cron		account optional 	pam_krb5.so.1
> #other		account optional 	pam_krb5.so.1
> #other		session optional 	pam_krb5.so.1
> #other		password optional 	pam_krb5.so.1 try_first_pass
> 
> 
> ------------------------------------------------------------------------
> 
> [libdefaults]
> 	default_realm = UTHSCH.EDU
> 	default_keytab_name = FILE:/etc/krb5/krb5.keytab
> 	default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> 	default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> 
> [realms]
> 		UTHSCH.EDU = {
> 		kdc = msdc1.uthsch.edu
> 		admin_server = msdc1.uthsch.edu
> 	}
> 
> [domain_realm]
> 	.uthsch.edu = UTHSCH.EDU
> 	uthsch.edu = UTHSCH.EDU
> 
> [logging]
> 	default = FILE:/var/krb5/kdc.log
> 	kdc = FILE:/var/krb5/kdc.log
> 
> [appdefaults]
> 	gkadmin = {
> 		help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
> 	}
> 
> 
> ------------------------------------------------------------------------
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list