Ticket expired with Solaris 8 clients

rmanin@ime.unicamp.br rmanin at ime.unicamp.br
Mon May 24 11:18:13 EDT 2004


Hi, all!

I'm setting a Kerberos environment, with a Fedora Core/i386 KDC, and some
Fedora and Solaris 8 clients.

The Fedora clients authenticates fine via Kerberos (but I see no "TGS_REQ"
messages at the server's log file - only "AS_REQ" ones.  Btw, is it
right?).

My problem is with my Solaris 8 hosts.

Running 'kinit' at Solaris (with standard Solaris 8 kerberos clients), it
works fine, and I get a ticket:

-----
guest at navarone:[~]$ kinit rmanin
Password for rmanin at IME.UNICAMP.BR:
guest at navarone:[~]$ klist
Ticket cache: /tmp/krb5cc_1001
Default principal: rmanin at IME.UNICAMP.BR

Valid starting                              Expires  Service principal
Mon 24 May 2004 12:01:01 PM EST  Mon 24 May 2004 08:01:01 PM EST 
krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR
        renew until Mon 24 May 2004 12:01:01 PM EST
guest at navarone:[~]$
------

But, when I try to log in using a kerberos authenticated account, I get a
"Ticket expired" message when handling the TGS.  The krb5dc log file at my
server shows:

-----
May 24 12:06:47 lvs.ime.unicamp.br krb5kdc[17615](info): AS_REQ (2 etypes
{3 1}) 143.106.77.92: ISSUE: authtime 1085411207, etypes {rep=3 tkt=23
ses=1}, rmanin at IME.UNICAMP.BR for krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR
May 24 12:06:47 lvs.ime.unicamp.br krb5kdc[17615](info): AS_REQ (2 etypes
{3 1}) 143.106.77.92: ISSUE: authtime 1085411207, etypes {rep=3 tkt=23
ses=1}, rmanin at IME.UNICAMP.BR for krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR
May 24 12:06:47 lvs.ime.unicamp.br krb5kdc[17615](info): TGS_REQ (2 etypes
{3 1}) 143.106.77.92: TKT_EXPIRED: authtime 1085410771, 
rmanin at IME.UNICAMP.BR for krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR, Ticket
expired
May 24 12:06:47 lvs.ime.unicamp.br krb5kdc[17615](info): TGS_REQ (2 etypes
{3 1}) 143.106.77.92: TKT_EXPIRED: authtime 1085410771, 
rmanin at IME.UNICAMP.BR for krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR, Ticket
expired
-----

I really can't figure out what is happing.  Any suggestions????

The pam.conf at the Solaris client looks like:

-----
# Authentication management
#
other   auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
other   auth required   /usr/lib/security/$ISA/pam_krb5.so.1 use_first_pass
#
# Account management
#
# pam_krb5 has a no-op account module, so we don't bother listing it here
#
other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
other   account required        /usr/lib/security/$ISA/pam_projects.so.1
other   account required        /usr/lib/security/$ISA/pam_unix.so.1
#
# Session management
#
# pam_krb5 destroys any credential cache on session close, so it's good
# to have it here.  However, we also need pam_unix to be called, so don't
# make pam_krb5 "sufficient".
#
other   session optional        /usr/lib/security/$ISA/pam_krb5.so.1
other   session required        /usr/lib/security/$ISA/pam_unix.so.1
#
# Password management
#
other   password sufficient     /usr/lib/security/$ISA/pam_unix.so.1
other   password required       /usr/lib/security/$ISA/pam_krb5.so.1
use_first_pass
-----

The client's krb5.conf is

-----
guest at navarone:[~]$ cat /etc/krb5/krb5.conf
[libdefaults]
        ticket_lifetime = 8h 0m 0s
        default_realm = IME.UNICAMP.BR

[realms]
        IME.UNICAMP.BR = {
                kdc = kerberos.ime.unicamp.br
                admin_server = kerberos.ime.unicamp.br
        }

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
                period = 1d
                versions = 10
        }

[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }
-----

And the server's kdc.conf is:

-----
[kdcdefaults]
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 v4_mode = nopreauth

[realms]
 IME.UNICAMP.BR = {
  default_principal_flags = forwardable renewable
  max_life = 8h 0m 0s
  master_key_type = des-cbc-crc
  supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm
arcfour-hmac:onlyrealm des3-hmac-sha1:normal des-hmac-sha1:normal
des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }
-----


Tnks!!!

[]s!
Rodolfo




More information about the Kerberos mailing list