Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot Lebsack)
Douglas E. Engert
deengert at anl.gov
Tue Jul 27 10:21:00 EDT 2004
Eliot Lebsack wrote:
> Henry,
>
> I checked all of the permissions, and they check out.
> However, this does not fix the problem.
>
You say the pam_krb5.so is failing? Any messages?
Have you added the debug parameter to the pam.conf line for the
login auth pam_krb5.so.1 and/or the dtlogin auth pam_krb5.so.1?
Is this the Sun provided version, or some other pam_krb5.so.1?
If its the Sun version, it might be using different libraries and looking
for krb5.conf in a different location. Sun looks at /etc/krb5/krb5.conf,
MIT looks at /etc/krb5.conf
It might also be the Solaris 8 only supports the enctypes of des-cbc-crc
and des-cbc-md5 and your principals are using 3des.
>
> Regards,
>
> Eliot
>
> ======================================================
> Eliot Lebsack (781) 271-5830
> Lead Communications Engineer elebsack at mitre.org
> The MITRE Corporation Bedford, MA
>
> -----Original Message-----
> From: Henry B. Hotz [mailto:hotz at jpl.nasa.gov]
> Sent: Monday, July 26, 2004 6:20 PM
> To: Eliot Lebsack
> Cc: kerberos at mit.edu
> Subject: Re: Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot
> Lebsack)
>
> Right, that's the problem. You need to set -rw-r--r-- (644) for
> krb5.conf.
>
> Those permissions are correct for krb5.keytab.
>
> Both should be root owned.
>
> On Jul 26, 2004, at 1:05 PM, Eliot Lebsack wrote:
>
> > Henry,
> >
> > Just checked - the permissions are -rw------- (0600).
> > Still have the same problem. The /etc/krb5/krb5.keytab
> > file is also set with the same permissions.
> >
> > Regards,
> >
> > Eliot
> >
> > ======================================================
> > Eliot Lebsack (781) 271-5830
> > Lead Communications Engineer elebsack at mitre.org
> > The MITRE Corporation Bedford, MA
> >
> > -----Original Message-----
> > From: Henry B. Hotz [mailto:hotz at jpl.nasa.gov]
> > Sent: Monday, July 26, 2004 3:17 PM
> > To: kerberos at mit.edu
> > Cc: Eliot Lebsack
> > Subject: Re: Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot
> > Lebsack)
> >
> >
> > If it works as root, but not as a user, then it sounds like a
> > permissions problem. Is /etc/krb5/krb5.conf world-readable?
> >
> > On Jul 26, 2004, at 9:00 AM, kerberos-request at mit.edu wrote:
> >
> >> Date: Mon, 26 Jul 2004 09:55:02 -0400
> >> From: "Eliot Lebsack" <elebsack at mitre.org>
> >> To: <kerberos at mit.edu>
> >> Subject: Solaris pam-krb5 client and MIT krb5 KDC on Linux
> >> Message-ID: <000901c47318$25c78aa0$1b515381 at MITRE.ORG>
> >> Content-Type: text/plain;
> >> charset="us-ascii"
> >> MIME-Version: 1.0
> >> Content-Transfer-Encoding: 7bit
> >> Precedence: list
> >> Message: 1
> >>
> >> Good morning.
> >>
> >> I've set up a KDC on a RHEL 3 box with NIS as the
> >> name service. All of my Linux boxes have no problem
> >> authenticating against this configuration.
> >>
> >> When I attempted to migrate my Solaris 8 (2/02) Ultra 80
> >> to this authentication/name service combination, using
> >> the on-board (non-SEAM) kerberos authentication tools
> >> which are run when reconfiguring a system (running sys-unconfig,
> >> then rebooting), I entered the fields for Kerberos
> >> as those used by my Linux machines.
> >>
> >> I went ahead and synced up my /etc/krb5/krb5.conf file with
> >> that used by the Linux clients. I uncommented the pam.conf
> >> lines for the pam_krb5.so.1 module as directed by the documention
> >> I could find on the web. I've even generated a keytab for the
> >> host principle, and moved it into /etc/krb5/krb5.keytab.
> >>
> >> I've checked my DNS setup as well as NTP. Everything looks good.
> >>
> >> When I attempt to log onto the Solaris 8 machine as a regular
> >> user, forcing the machine to refer to NIS/Kerberos for more
> >> information,
> >> the pam_krb5 authentication module refuses to allow access.
> >>
> >> When I "su -" to the user from root, and do a kinit as the user,
> >> it successfully gets the Kerberos ticket.
> >>
> >> It appears that pam_krb5 is not entering the authentication
> >> process correctly, or that it is not negotiating with the KDC
> >> correctly.
> >>
> >> Has anyone else tried a similar configuration? I'm trying to
> >> do something real basic here; no kerberized NFS or anything like that.
> >>
> >> I also tried installing SEAM for Solaris 8, and still had the
> >> same problem.
> >>
> >> Regards,
> >>
> >> Eliot
> >>
> >> ======================================================
> >> Eliot Lebsack (781) 271-5830
> >> Lead Communications Engineer
> >> The MITRE Corporation Bedford, MA
> > -----------------------------------------------------------------------
> > -
> > ----
> > The opinions expressed in this message are mine,
> > not those of Caltech, JPL, NASA, or the US Government.
> > Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
> >
> >
> >
> ------------------------------------------------------------------------
> ----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list