Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot Lebsack)

Eliot Lebsack elebsack at mitre.org
Wed Jul 28 08:40:42 EDT 2004 

Rodolfo,

Here's my pam.conf file - It's pretty close to the 
pam.conf file which ships with Solaris 8, 2/02 version.

#
#ident  "@(#)pam.conf   1.16    01/01/24 SMI"
#
# Copyright (c) 1996-2000 by Sun Microsystems, Inc.
# All rights reserved.
#
# PAM configuration
#
# Authentication management
#
login   auth required   /usr/lib/security/$ISA/pam_unix.so.1
login   auth required   /usr/lib/security/$ISA/pam_dial_auth.so.1
#
rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
rlogin  auth required   /usr/lib/security/$ISA/pam_unix.so.1
#
dtlogin auth required   /usr/lib/security/$ISA/pam_unix.so.1
#
rsh     auth required   /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other   auth required   /usr/lib/security/$ISA/pam_unix.so.1
#
# Account management
#
login   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
login   account required        /usr/lib/security/$ISA/pam_projects.so.1
login   account required        /usr/lib/security/$ISA/pam_unix.so.1
#
dtlogin account requisite       /usr/lib/security/$ISA/pam_roles.so.1
dtlogin account required        /usr/lib/security/$ISA/pam_projects.so.1
dtlogin account required        /usr/lib/security/$ISA/pam_unix.so.1
#
other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
other   account required        /usr/lib/security/$ISA/pam_projects.so.1
other   account required        /usr/lib/security/$ISA/pam_unix.so.1
#
# Session management
#
other   session required        /usr/lib/security/$ISA/pam_unix.so.1
#
# Password management
#
other   password required       /usr/lib/security/$ISA/pam_unix.so.1
dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
rlogin  auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 debug
try_first_pass
login   auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 debug
try_first_pass
dtlogin auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
other   auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
other   account optional /usr/lib/security/$ISA/pam_krb5.so.1
other   session optional /usr/lib/security/$ISA/pam_krb5.so.1
other   password optional /usr/lib/security/$ISA/pam_krb5.so.1
try_first_pass

Regards,

Eliot

======================================================
Eliot Lebsack                         (781) 271-5830
Lead Communications Engineer      elebsack at mitre.org
The MITRE Corporation                    Bedford, MA

-----Original Message-----
From: rodolfo at ime.unicamp.br [mailto:rodolfo at ime.unicamp.br] 
Sent: Tuesday, July 27, 2004 2:15 PM
To: elebsack at mitre.org
Subject: RE: Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot
Lebsack)


Hi!

Try commenting out "pam_dhkeys.so" from your pam.conf - if you have it.

If it doesn't solve the problem, put pam in debug mode, adding something
like:

auth.debug          /etc/pam_debug

to your /etc/syslog.conf, and sending a KUP to syslog daemon.

If it still not working, can you post your pam.conf here?

[]s!
Rodolfo

> Henry,
>
> I checked all of the permissions, and they check out.
> However, this does not fix the problem.
>
> Regards,
>
> Eliot
>
> ======================================================
> Eliot Lebsack                         (781) 271-5830
> Lead Communications Engineer      elebsack at mitre.org
> The MITRE Corporation                    Bedford, MA
>
> -----Original Message-----
> From: Henry B. Hotz [mailto:hotz at jpl.nasa.gov]
> Sent: Monday, July 26, 2004 6:20 PM
> To: Eliot Lebsack
> Cc: kerberos at mit.edu
> Subject: Re: Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot
> Lebsack)
>
>
> Right, that's the problem.  You need to set -rw-r--r-- (644) for
> krb5.conf.
>
> Those permissions are correct for krb5.keytab.
>
> Both should be root owned.
>
> On Jul 26, 2004, at 1:05 PM, Eliot Lebsack wrote:
>
>> Henry,
>>
>> Just checked - the permissions are -rw------- (0600).
>> Still have the same problem. The /etc/krb5/krb5.keytab
>> file is also set with the same permissions.
>>
>> Regards,
>>
>> Eliot
>>
>> ======================================================
>> Eliot Lebsack                         (781) 271-5830
>> Lead Communications Engineer      elebsack at mitre.org
>> The MITRE Corporation                    Bedford, MA
>>
>> -----Original Message-----
>> From: Henry B. Hotz [mailto:hotz at jpl.nasa.gov]
>> Sent: Monday, July 26, 2004 3:17 PM
>> To: kerberos at mit.edu
>> Cc: Eliot Lebsack
>> Subject: Re: Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot
>> Lebsack)
>>
>>
>> If it works as root, but not as a user, then it sounds like a
>> permissions problem.  Is /etc/krb5/krb5.conf world-readable?
>>
>> On Jul 26, 2004, at 9:00 AM, kerberos-request at mit.edu wrote:
>>
>>> Date: Mon, 26 Jul 2004 09:55:02 -0400
>>> From: "Eliot Lebsack" <elebsack at mitre.org>
>>> To: <kerberos at mit.edu>
>>> Subject: Solaris pam-krb5 client and MIT krb5 KDC on Linux
>>> Message-ID: <000901c47318$25c78aa0$1b515381 at MITRE.ORG>
>>> Content-Type: text/plain;
>>> 	charset="us-ascii"
>>> MIME-Version: 1.0
>>> Content-Transfer-Encoding: 7bit
>>> Precedence: list
>>> Message: 1
>>>
>>> Good morning.
>>>
>>> I've set up a KDC on a RHEL 3 box with NIS as the
>>> name service. All of my Linux boxes have no problem
>>> authenticating against this configuration.
>>>
>>> When I attempted to migrate my Solaris 8 (2/02) Ultra 80
>>> to this authentication/name service combination, using
>>> the on-board (non-SEAM) kerberos authentication tools
>>> which are run when reconfiguring a system (running sys-unconfig, then
>>> rebooting), I entered the fields for Kerberos
>>> as those used by my Linux machines.
>>>
>>> I went ahead and synced up my /etc/krb5/krb5.conf file with
>>> that used by the Linux clients. I uncommented the pam.conf
>>> lines for the pam_krb5.so.1 module as directed by the documention I
>>> could find on the web. I've even generated a keytab for the
>>> host principle, and moved it into /etc/krb5/krb5.keytab.
>>>
>>> I've checked my DNS setup as well as NTP. Everything looks good.
>>>
>>> When I attempt to log onto the Solaris 8 machine as a regular
>>> user, forcing the machine to refer to NIS/Kerberos for more
>>> information,
>>> the pam_krb5 authentication module refuses to allow access.
>>>
>>> When I "su -" to the user from root, and do a kinit as the user, it
>>> successfully gets the Kerberos ticket.
>>>
>>> It appears that pam_krb5 is not entering the authentication
>>> process correctly, or that it is not negotiating with the KDC
>>> correctly.
>>>
>>> Has anyone else tried a similar configuration? I'm trying to
>>> do something real basic here; no kerberized NFS or anything like
>>> that.
>>>
>>> I also tried installing SEAM for Solaris 8, and still had the
>>> same problem.
>>>
>>> Regards,
>>>
>>> Eliot
>>>
>>> ======================================================
>>> Eliot Lebsack                         (781) 271-5830
>>> Lead Communications Engineer
>>> The MITRE Corporation                    Bedford, MA
>> -----------------------------------------------------------------------
>>  -
>> ----
>> The opinions expressed in this message are mine,
>> not those of Caltech, JPL, NASA, or the US Government.
>> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
>>
>>
>>
> ------------------------------------------------------------------------
>  ----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list