MIT Kerberos 1.4.1, Solaris 8, & AD SSO

Haskins, Russell Russell.Haskins at gd-ais.com
Wed Jun 29 17:55:33 EDT 2005


I am trying to get Single-Sing-On working with the *NIX boxes on our
campus network. The Windows AD is controlled by our outsourced IT group
so we can't drive any requirements on it. I have my Redhat Enterprise
Linux boxes authenticating correctly to the AD domain. However I've hit
the wall with Solaris 8 (we have a mix of Solaris, I started with 8).

I compiled and installed MIT Kerberos 1.4.1 on a new Solaris 8 2/04
system. I configured the /etc/krb5.conf for the AD domain and kinit
returns a ticket (works as root or unprivileged user).

I configured /etc/pam.conf for kerberos:

# PAM configuration
#
# This file is configured to try pam_unix first, then pam_krb5
#
# Authentication management
#
other	auth sufficient	/usr/lib/security/$ISA/pam_unix.so.1
other	auth required	/usr/lib/security/$ISA/pam_krb5.so.1
use_first_pass
#
# Account management
#
# pam_krb5 has a no-op account module, so we don't bother listing it
here
#
other	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
other	account	required	/usr/lib/security/$ISA/pam_projects.so.1
other	account required	/usr/lib/security/$ISA/pam_unix.so.1 
#
# Session management
#
# pam_krb5 destroys any credential cache on session close, so it's good
# to have it here.  However, we also need pam_unix to be called, so
don't
# make pam_krb5 "sufficient".
#
other	session optional	/usr/lib/security/$ISA/pam_krb5.so.1
other	session required	/usr/lib/security/$ISA/pam_unix.so.1 
#
# Password management
#
# You may have to fiddle with this if you have other account databases.
# If you have some centralized user management tool that users use to
# change their password then you may just want to remove the pam_krb5
# here.
#
other	password sufficient	/usr/lib/security/$ISA/pam_unix.so.1
other	password required	/usr/lib/security/$ISA/pam_krb5.so.1
use_first_pass
#

I created a Solaris account for the principal (first.last), made sure
there was no shadow file entry for the account, then tried to login
using the principal name and kerberos passwd.

Login incorrect

I added logging to the pam.conf configuration and these are the messages
in /var/adm/messages:

Jun 29 14:44:27 rupfert login: [ID 264565 auth.debug] PAM-KRB5: auth:
pam_sm_authenticate flags = 0
Jun 29 14:44:27 rupfert login: [ID 405806 auth.debug] PAM-KRB5:
attempt_krb5_login: start: user='First.Last', uid=10526
Jun 29 14:44:27 rupfert login: [ID 730853 auth.debug] PAM-KRB5: auth:
krb5_login: tkt_with_pw returns: KRB5 error code 52
Jun 29 14:44:27 rupfert login: [ID 410402 auth.debug] PAM-KRB5:
attempt_krb5_login returning 9
Jun 29 14:44:27 rupfert login: [ID 892699 auth.debug] PAM-KRB5:
pam_sm_auth finalize ccname env, result = 9, env =
'KRB5CCNAME=FILE:/tmp/krb5cc_10526', age = 0, status = 9
Jun 29 14:44:27 rupfert login: [ID 753808 auth.debug] PAM-KRB5: sm_auth:
returning 9
Jun 29 14:44:35 rupfert login: [ID 174864 auth.debug] PAM-KRB5:
krb5_cleanup pam_sm_auth_status(9)

Any ideas would be greatly appreciated.

Russ...



More information about the Kerberos mailing list