Authentication problems using Telnet on Solaris 9

Markus Moeller huaraz at moeller.plus.com
Sat Sep 4 07:28:07 EDT 2004


Bill,

You need a valid keytab to use pam_krb5 or set verify_ap_req_nofail = false. 
See http://docs.sun.com/db/doc/816-5175/6mbba7f1m?a=view

"pam_sm_authenticate() authenticates a user principal through the Kerberos 
authentication service. If the authentication request is successful, the 
authentication service sends a ticket-granting ticket (TGT) back to the 
service module, which then verifies that the TGT came from a valid Key 
Distribution Center (KDC) by attempting to get a service ticket for the 
local host service. For this to succeed, the local host's keytab file 
(/etc/krb5/krb5.keytab) must contain the entry for the local host service. 
For example, in the file host/hostname.com at REALM, hostname.com is the fully 
qualified local hostname and REALM is the default realm of the local host as 
defined in /etc/krb5/krb5.conf. If the host entry is not found in the keytab 
file, the authentication fails. Administrators may optionally disable this 
"strict" verification by setting the "verify_ap_req_nofail = false" in 
/etc/krb5/krb5.conf. See krb5.conf(4) for more details on this option. This 
allows TGT verification to succeed in the absence of a keytab host principal 
entry."

Regards
Markus


"Bill Smith" <bill.smith at jhuapl.edu> wrote in message 
news:chaabf$m1g$1 at aplcore.jhuapl.edu...
> I'm trying to authenticate to our W2K domain controllers from my UNIX box 
> running Sun's kerberos distribution (SEAM) on a Solaris 9 box.  When I try 
> lo login using my domain logon, I get the following error
>
> authentication failed:  Unknown code 2
>
> in /var/adm/messages the following message is also logged
>
> Sep  3 13:38:03 smithwe1-unix login: [ID 537602 auth.error] PAM-KRB5 
> (auth): krb5_verify_init_creds failed: Unknown code 2
>
> I've done some searching and found some info indicating possible problems 
> like this on Solaris 9 but so far no resolution.
>
> FWIW, when I run kinit, I can authenticate to the domain controllers with 
> no problems.
>
> Any idea on what the problem(s) may be?
>
> Thanks,
>
> Bill
>
> 




More information about the Kerberos mailing list