MIT Kerberos 1.4.1, Solaris 8, & AD SSO

[Will Fiveash]

On Wed, Jun 29, 2005 at 02:55:33PM -0700, Haskins, Russell wrote:
> I am trying to get Single-Sing-On working with the *NIX boxes on our
> campus network. The Windows AD is controlled by our outsourced IT group
> so we can't drive any requirements on it. I have my Redhat Enterprise
> Linux boxes authenticating correctly to the AD domain. However I've hit
> the wall with Solaris 8 (we have a mix of Solaris, I started with 8).
> 
> I compiled and installed MIT Kerberos 1.4.1 on a new Solaris 8 2/04
> system. I configured the /etc/krb5.conf for the AD domain and kinit
> returns a ticket (works as root or unprivileged user).

But it looks like you are using the native Solaris pam_krb5 which is
linked against the native Solaris 8 krb lib.  S8 krb does not support
TCP which looks like the error (52) that shows up in your syslog
messages.  Your choices are to disable the PAC data on the AD so the AS
does not use TCP for krb messages (which may not be an option given what
you wrote above), update to Solaris 10 which does support TCP for krb,
find a pam_krb5 that is linked against the MIT 1.4.1 krb lib or have a
Solaris support person file an escalation to get krb TCP support
back-ported to S8.

> I configured /etc/pam.conf for kerberos:
> 
> # PAM configuration
> #
> # This file is configured to try pam_unix first, then pam_krb5
> #
> # Authentication management
> #
> other	auth sufficient	/usr/lib/security/$ISA/pam_unix.so.1
> other	auth required	/usr/lib/security/$ISA/pam_krb5.so.1
> use_first_pass
> #
> # Account management
> #
> # pam_krb5 has a no-op account module, so we don't bother listing it
> here
> #
> other	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
> other	account	required	/usr/lib/security/$ISA/pam_projects.so.1
> other	account required	/usr/lib/security/$ISA/pam_unix.so.1 
> #
> # Session management
> #
> # pam_krb5 destroys any credential cache on session close, so it's good
> # to have it here.  However, we also need pam_unix to be called, so
> don't
> # make pam_krb5 "sufficient".
> #
> other	session optional	/usr/lib/security/$ISA/pam_krb5.so.1
> other	session required	/usr/lib/security/$ISA/pam_unix.so.1 
> #
> # Password management
> #
> # You may have to fiddle with this if you have other account databases.
> # If you have some centralized user management tool that users use to
> # change their password then you may just want to remove the pam_krb5
> # here.
> #
> other	password sufficient	/usr/lib/security/$ISA/pam_unix.so.1
> other	password required	/usr/lib/security/$ISA/pam_krb5.so.1
> use_first_pass
> #
> 
> I created a Solaris account for the principal (first.last), made sure
> there was no shadow file entry for the account, then tried to login
> using the principal name and kerberos passwd.
> 
> Login incorrect
> 
> I added logging to the pam.conf configuration and these are the messages
> in /var/adm/messages:
> 
> Jun 29 14:44:27 rupfert login: [ID 264565 auth.debug] PAM-KRB5: auth:
> pam_sm_authenticate flags = 0
> Jun 29 14:44:27 rupfert login: [ID 405806 auth.debug] PAM-KRB5:
> attempt_krb5_login: start: user='First.Last', uid=10526
> Jun 29 14:44:27 rupfert login: [ID 730853 auth.debug] PAM-KRB5: auth:
> krb5_login: tkt_with_pw returns: KRB5 error code 52
> Jun 29 14:44:27 rupfert login: [ID 410402 auth.debug] PAM-KRB5:
> attempt_krb5_login returning 9
> Jun 29 14:44:27 rupfert login: [ID 892699 auth.debug] PAM-KRB5:
> pam_sm_auth finalize ccname env, result = 9, env =
> 'KRB5CCNAME=FILE:/tmp/krb5cc_10526', age = 0, status = 9
> Jun 29 14:44:27 rupfert login: [ID 753808 auth.debug] PAM-KRB5: sm_auth:
> returning 9
> Jun 29 14:44:35 rupfert login: [ID 174864 auth.debug] PAM-KRB5:
> krb5_cleanup pam_sm_auth_status(9)
> 
> Any ideas would be greatly appreciated.
> 
> Russ...
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)