Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot Lebsack)

Henry B. Hotz hotz at jpl.nasa.gov
Tue Jul 27 12:56:56 EDT 2004


1) Can the user (once logged in) do a kinit?  (If not check krb5.conf  
permissions, and contents.)

2) Can the user (once kinit'ed) get a host service ticket?  (Try  
telnet'ing to yourself at the external network address.  I think that  
will do it.  If not you need a second machine.)

3) Does the local keytab work?  (Try kinit -k as root.  klist should  
show you are kinit'ed as host/your.machine at YOUR.REALM.)

4) Does the host service ticket agree with the one in the local  
/etc/krb5/krb5.keytab?  (Not sure exactly how to check this.  The  
Solaris ktutil doesn't show much info.  Presumably if both 2 and 3 work  
it should be OK, but they might be different kvno's.)

Don't know if Sol 8 is completely like Sol 9, but the pam modules need  
the host principal to work for full functionality on 9.

Isn't there a debug option for the pam modules?

On Jul 27, 2004, at 6:29 AM, Eliot Lebsack wrote:

> Henry,
>
> I checked all of the permissions, and they check out.
> However, this does not fix the problem.
>
> Regards,
>
> Eliot
>
> ======================================================
> Eliot Lebsack                         (781) 271-5830
> Lead Communications Engineer      elebsack at mitre.org
> The MITRE Corporation                    Bedford, MA
>
> -----Original Message-----
> From: Henry B. Hotz [mailto:hotz at jpl.nasa.gov]
> Sent: Monday, July 26, 2004 6:20 PM
> To: Eliot Lebsack
> Cc: kerberos at mit.edu
> Subject: Re: Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot
> Lebsack)
>
>
> Right, that's the problem.  You need to set -rw-r--r-- (644) for
> krb5.conf.
>
> Those permissions are correct for krb5.keytab.
>
> Both should be root owned.
>
> On Jul 26, 2004, at 1:05 PM, Eliot Lebsack wrote:
>
>> Henry,
>>
>> Just checked - the permissions are -rw------- (0600).
>> Still have the same problem. The /etc/krb5/krb5.keytab
>> file is also set with the same permissions.
>>
>> Regards,
>>
>> Eliot
>>
>> ======================================================
>> Eliot Lebsack                         (781) 271-5830
>> Lead Communications Engineer      elebsack at mitre.org
>> The MITRE Corporation                    Bedford, MA
>>
>> -----Original Message-----
>> From: Henry B. Hotz [mailto:hotz at jpl.nasa.gov]
>> Sent: Monday, July 26, 2004 3:17 PM
>> To: kerberos at mit.edu
>> Cc: Eliot Lebsack
>> Subject: Re: Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot
>> Lebsack)
>>
>>
>> If it works as root, but not as a user, then it sounds like a
>> permissions problem.  Is /etc/krb5/krb5.conf world-readable?
>>
>> On Jul 26, 2004, at 9:00 AM, kerberos-request at mit.edu wrote:
>>
>>> Date: Mon, 26 Jul 2004 09:55:02 -0400
>>> From: "Eliot Lebsack" <elebsack at mitre.org>
>>> To: <kerberos at mit.edu>
>>> Subject: Solaris pam-krb5 client and MIT krb5 KDC on Linux
>>> Message-ID: <000901c47318$25c78aa0$1b515381 at MITRE.ORG>
>>> Content-Type: text/plain;
>>> 	charset="us-ascii"
>>> MIME-Version: 1.0
>>> Content-Transfer-Encoding: 7bit
>>> Precedence: list
>>> Message: 1
>>>
>>> Good morning.
>>>
>>> I've set up a KDC on a RHEL 3 box with NIS as the
>>> name service. All of my Linux boxes have no problem
>>> authenticating against this configuration.
>>>
>>> When I attempted to migrate my Solaris 8 (2/02) Ultra 80
>>> to this authentication/name service combination, using
>>> the on-board (non-SEAM) kerberos authentication tools
>>> which are run when reconfiguring a system (running sys-unconfig,
>>> then rebooting), I entered the fields for Kerberos
>>> as those used by my Linux machines.
>>>
>>> I went ahead and synced up my /etc/krb5/krb5.conf file with
>>> that used by the Linux clients. I uncommented the pam.conf
>>> lines for the pam_krb5.so.1 module as directed by the documention
>>> I could find on the web. I've even generated a keytab for the
>>> host principle, and moved it into /etc/krb5/krb5.keytab.
>>>
>>> I've checked my DNS setup as well as NTP. Everything looks good.
>>>
>>> When I attempt to log onto the Solaris 8 machine as a regular
>>> user, forcing the machine to refer to NIS/Kerberos for more
>>> information,
>>> the pam_krb5 authentication module refuses to allow access.
>>>
>>> When I "su -" to the user from root, and do a kinit as the user,
>>> it successfully gets the Kerberos ticket.
>>>
>>> It appears that pam_krb5 is not entering the authentication
>>> process correctly, or that it is not negotiating with the KDC
>>> correctly.
>>>
>>> Has anyone else tried a similar configuration? I'm trying to
>>> do something real basic here; no kerberized NFS or anything like  
>>> that.
>>>
>>> I also tried installing SEAM for Solaris 8, and still had the
>>> same problem.
>>>
>>> Regards,
>>>
>>> Eliot
>>>
>>> ======================================================
>>> Eliot Lebsack                         (781) 271-5830
>>> Lead Communications Engineer
>>> The MITRE Corporation                    Bedford, MA
>> ---------------------------------------------------------------------- 
>> -
>> -
>> ----
>> The opinions expressed in this message are mine,
>> not those of Caltech, JPL, NASA, or the US Government.
>> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
>>
>>
>>
> ----------------------------------------------------------------------- 
> -
> ----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
>
>
>
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu



More information about the Kerberos mailing list