Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot Lebsack)

Eliot Lebsack elebsack at mitre.org
Tue Jul 27 09:29:21 EDT 2004


Henry,

I checked all of the permissions, and they check out.
However, this does not fix the problem.

Regards,

Eliot

======================================================
Eliot Lebsack                         (781) 271-5830
Lead Communications Engineer      elebsack at mitre.org
The MITRE Corporation                    Bedford, MA

-----Original Message-----
From: Henry B. Hotz [mailto:hotz at jpl.nasa.gov] 
Sent: Monday, July 26, 2004 6:20 PM
To: Eliot Lebsack
Cc: kerberos at mit.edu
Subject: Re: Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot
Lebsack)


Right, that's the problem.  You need to set -rw-r--r-- (644) for  
krb5.conf.

Those permissions are correct for krb5.keytab.

Both should be root owned.

On Jul 26, 2004, at 1:05 PM, Eliot Lebsack wrote:

> Henry,
>
> Just checked - the permissions are -rw------- (0600).
> Still have the same problem. The /etc/krb5/krb5.keytab
> file is also set with the same permissions.
>
> Regards,
>
> Eliot
>
> ======================================================
> Eliot Lebsack                         (781) 271-5830
> Lead Communications Engineer      elebsack at mitre.org
> The MITRE Corporation                    Bedford, MA
>
> -----Original Message-----
> From: Henry B. Hotz [mailto:hotz at jpl.nasa.gov]
> Sent: Monday, July 26, 2004 3:17 PM
> To: kerberos at mit.edu
> Cc: Eliot Lebsack
> Subject: Re: Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot
> Lebsack)
>
>
> If it works as root, but not as a user, then it sounds like a
> permissions problem.  Is /etc/krb5/krb5.conf world-readable?
>
> On Jul 26, 2004, at 9:00 AM, kerberos-request at mit.edu wrote:
>
>> Date: Mon, 26 Jul 2004 09:55:02 -0400
>> From: "Eliot Lebsack" <elebsack at mitre.org>
>> To: <kerberos at mit.edu>
>> Subject: Solaris pam-krb5 client and MIT krb5 KDC on Linux
>> Message-ID: <000901c47318$25c78aa0$1b515381 at MITRE.ORG>
>> Content-Type: text/plain;
>> 	charset="us-ascii"
>> MIME-Version: 1.0
>> Content-Transfer-Encoding: 7bit
>> Precedence: list
>> Message: 1
>>
>> Good morning.
>>
>> I've set up a KDC on a RHEL 3 box with NIS as the
>> name service. All of my Linux boxes have no problem
>> authenticating against this configuration.
>>
>> When I attempted to migrate my Solaris 8 (2/02) Ultra 80
>> to this authentication/name service combination, using
>> the on-board (non-SEAM) kerberos authentication tools
>> which are run when reconfiguring a system (running sys-unconfig,
>> then rebooting), I entered the fields for Kerberos
>> as those used by my Linux machines.
>>
>> I went ahead and synced up my /etc/krb5/krb5.conf file with
>> that used by the Linux clients. I uncommented the pam.conf
>> lines for the pam_krb5.so.1 module as directed by the documention
>> I could find on the web. I've even generated a keytab for the
>> host principle, and moved it into /etc/krb5/krb5.keytab.
>>
>> I've checked my DNS setup as well as NTP. Everything looks good.
>>
>> When I attempt to log onto the Solaris 8 machine as a regular
>> user, forcing the machine to refer to NIS/Kerberos for more
>> information,
>> the pam_krb5 authentication module refuses to allow access.
>>
>> When I "su -" to the user from root, and do a kinit as the user,
>> it successfully gets the Kerberos ticket.
>>
>> It appears that pam_krb5 is not entering the authentication
>> process correctly, or that it is not negotiating with the KDC
>> correctly.
>>
>> Has anyone else tried a similar configuration? I'm trying to
>> do something real basic here; no kerberized NFS or anything like that.
>>
>> I also tried installing SEAM for Solaris 8, and still had the
>> same problem.
>>
>> Regards,
>>
>> Eliot
>>
>> ======================================================
>> Eliot Lebsack                         (781) 271-5830
>> Lead Communications Engineer
>> The MITRE Corporation                    Bedford, MA
> ----------------------------------------------------------------------- 
> -
> ----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
>
>
>
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu




More information about the Kerberos mailing list