MIT Kerberos 1.4.1, Solaris 8, & AD SSO
Haskins, Russell
Russell.Haskins at gd-ais.com
Wed Jun 29 17:55:33 EDT 2005
I am trying to get Single-Sing-On working with the *NIX boxes on our
campus network. The Windows AD is controlled by our outsourced IT group
so we can't drive any requirements on it. I have my Redhat Enterprise
Linux boxes authenticating correctly to the AD domain. However I've hit
the wall with Solaris 8 (we have a mix of Solaris, I started with 8).
I compiled and installed MIT Kerberos 1.4.1 on a new Solaris 8 2/04
system. I configured the /etc/krb5.conf for the AD domain and kinit
returns a ticket (works as root or unprivileged user).
I configured /etc/pam.conf for kerberos:
# PAM configuration
#
# This file is configured to try pam_unix first, then pam_krb5
#
# Authentication management
#
other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
other auth required /usr/lib/security/$ISA/pam_krb5.so.1
use_first_pass
#
# Account management
#
# pam_krb5 has a no-op account module, so we don't bother listing it
here
#
other account requisite /usr/lib/security/$ISA/pam_roles.so.1
other account required /usr/lib/security/$ISA/pam_projects.so.1
other account required /usr/lib/security/$ISA/pam_unix.so.1
#
# Session management
#
# pam_krb5 destroys any credential cache on session close, so it's good
# to have it here. However, we also need pam_unix to be called, so
don't
# make pam_krb5 "sufficient".
#
other session optional /usr/lib/security/$ISA/pam_krb5.so.1
other session required /usr/lib/security/$ISA/pam_unix.so.1
#
# Password management
#
# You may have to fiddle with this if you have other account databases.
# If you have some centralized user management tool that users use to
# change their password then you may just want to remove the pam_krb5
# here.
#
other password sufficient /usr/lib/security/$ISA/pam_unix.so.1
other password required /usr/lib/security/$ISA/pam_krb5.so.1
use_first_pass
#
I created a Solaris account for the principal (first.last), made sure
there was no shadow file entry for the account, then tried to login
using the principal name and kerberos passwd.
Login incorrect
I added logging to the pam.conf configuration and these are the messages
in /var/adm/messages:
Jun 29 14:44:27 rupfert login: [ID 264565 auth.debug] PAM-KRB5: auth:
pam_sm_authenticate flags = 0
Jun 29 14:44:27 rupfert login: [ID 405806 auth.debug] PAM-KRB5:
attempt_krb5_login: start: user='First.Last', uid=10526
Jun 29 14:44:27 rupfert login: [ID 730853 auth.debug] PAM-KRB5: auth:
krb5_login: tkt_with_pw returns: KRB5 error code 52
Jun 29 14:44:27 rupfert login: [ID 410402 auth.debug] PAM-KRB5:
attempt_krb5_login returning 9
Jun 29 14:44:27 rupfert login: [ID 892699 auth.debug] PAM-KRB5:
pam_sm_auth finalize ccname env, result = 9, env =
'KRB5CCNAME=FILE:/tmp/krb5cc_10526', age = 0, status = 9
Jun 29 14:44:27 rupfert login: [ID 753808 auth.debug] PAM-KRB5: sm_auth:
returning 9
Jun 29 14:44:35 rupfert login: [ID 174864 auth.debug] PAM-KRB5:
krb5_cleanup pam_sm_auth_status(9)
Any ideas would be greatly appreciated.
Russ...
More information about the Kerberos
mailing list