MIT Kerberos 1.4.1, Solaris 8, & AD SSO

Wachdorf, Daniel R drwachd at sandia.gov
Wed Jun 29 18:11:47 EDT 2005


Error code 52 is the error returned by AD indicating your UDP packet was
too big, and thus it wants to do TCP.  Windows puts the PAC in the
ticket to provide extra authentication information. 

Older versions of Kerberos don't support TCP, and thus don't know what
to do.

-dan

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Haskins, Russell
Sent: Wednesday, June 29, 2005 3:56 PM
To: kerberos at mit.edu
Subject: MIT Kerberos 1.4.1, Solaris 8, & AD SSO

I am trying to get Single-Sing-On working with the *NIX boxes on our
campus network. The Windows AD is controlled by our outsourced IT group
so we can't drive any requirements on it. I have my Redhat Enterprise
Linux boxes authenticating correctly to the AD domain. However I've hit
the wall with Solaris 8 (we have a mix of Solaris, I started with 8).

I compiled and installed MIT Kerberos 1.4.1 on a new Solaris 8 2/04
system. I configured the /etc/krb5.conf for the AD domain and kinit
returns a ticket (works as root or unprivileged user).

I configured /etc/pam.conf for kerberos:

# PAM configuration
#
# This file is configured to try pam_unix first, then pam_krb5
#
# Authentication management
#
other	auth sufficient	/usr/lib/security/$ISA/pam_unix.so.1
other	auth required	/usr/lib/security/$ISA/pam_krb5.so.1
use_first_pass
#
# Account management
#
# pam_krb5 has a no-op account module, so we don't bother listing it
here
#
other	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
other	account	required	/usr/lib/security/$ISA/pam_projects.so.1
other	account required	/usr/lib/security/$ISA/pam_unix.so.1 
#
# Session management
#
# pam_krb5 destroys any credential cache on session close, so it's good
# to have it here.  However, we also need pam_unix to be called, so
don't
# make pam_krb5 "sufficient".
#
other	session optional	/usr/lib/security/$ISA/pam_krb5.so.1
other	session required	/usr/lib/security/$ISA/pam_unix.so.1 
#
# Password management
#
# You may have to fiddle with this if you have other account databases.
# If you have some centralized user management tool that users use to
# change their password then you may just want to remove the pam_krb5
# here.
#
other	password sufficient	/usr/lib/security/$ISA/pam_unix.so.1
other	password required	/usr/lib/security/$ISA/pam_krb5.so.1
use_first_pass
#

I created a Solaris account for the principal (first.last), made sure
there was no shadow file entry for the account, then tried to login
using the principal name and kerberos passwd.

Login incorrect

I added logging to the pam.conf configuration and these are the messages
in /var/adm/messages:

Jun 29 14:44:27 rupfert login: [ID 264565 auth.debug] PAM-KRB5: auth:
pam_sm_authenticate flags = 0
Jun 29 14:44:27 rupfert login: [ID 405806 auth.debug] PAM-KRB5:
attempt_krb5_login: start: user='First.Last', uid=10526
Jun 29 14:44:27 rupfert login: [ID 730853 auth.debug] PAM-KRB5: auth:
krb5_login: tkt_with_pw returns: KRB5 error code 52
Jun 29 14:44:27 rupfert login: [ID 410402 auth.debug] PAM-KRB5:
attempt_krb5_login returning 9
Jun 29 14:44:27 rupfert login: [ID 892699 auth.debug] PAM-KRB5:
pam_sm_auth finalize ccname env, result = 9, env =
'KRB5CCNAME=FILE:/tmp/krb5cc_10526', age = 0, status = 9
Jun 29 14:44:27 rupfert login: [ID 753808 auth.debug] PAM-KRB5: sm_auth:
returning 9
Jun 29 14:44:35 rupfert login: [ID 174864 auth.debug] PAM-KRB5:
krb5_cleanup pam_sm_auth_status(9)

Any ideas would be greatly appreciated.

Russ...

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos





More information about the Kerberos mailing list