Solaris 9 Pam problem

scanell scanell at jpl.nasa.gov
Thu Jun 30 17:57:42 EDT 2005 

Sorry, missed your reference to /etc/krb5/krb5.keytab

I can't tell from you email if you are using SEAM or MIT Kerberos.... but this I know holds true for the MIT Kerberos 1.4...

Get a copy of the keytab file from the master and place it accordingly...
MIT Kerberos 1.4 is /usr/local/var/krb5kdc/<name>.keytab

For SEAM, I believe it goes into the /etc/krb5 directory... do not recall for sure.

Since authentication is local with su, you need the key to decrypt the password which is in the keytab file.

Check you master server logs and see if it is giving you a failure to decrypt... that would be a good indication that the local host cannot checksum the tickets because the key is on the master where the password ticket was create... now you need that key to decrypt on the client side.

Someone will probably say I am all wet, but this is what I had to do for ssh between Solaris 9 boxes using pam_krb5.so.1....
Once I place a copy of the master keytab file on the SUN server, I was then able to authenticate using Kerberos.

Steve
Daniel Wachdorf wrote:

>I am trying to setup pam (with su for starters) on a solaris 9 system.  Its
>up to date with all the recommended patches.
>
>I have a valid krb5.conf file in /etc/ and sym-linked to
>/etc/krb5/krb5.conf.  It has the following in libdefaults:
>
>default_tkt_enctypes = des-cbc-crc
>default_tgs_enctypes = des-cbc-crc
>
>I created a keytab and symlinked it to /etc/krb5/krb5.keytab.
>
># klist -e -k /etc/krb5/krb5.keytab
>Keytab name: FILE:/etc/krb5/krb5.keytab
>KVNO Principal
>---- 
>--------------------------------------------------------------------------
>   2 host/vmtest2c.sandia.gov at dce.sandia.gov
><mailto:host/vmtest2c.sandia.gov at dce.sandia.gov>  (DES-CBC-CRC)
>   2 host/vmtest2c.sandia.gov at dce.sandia.gov
><mailto:host/vmtest2c.sandia.gov at dce.sandia.gov>  (DES-CBC-MD5)
>
>I have my /etc/hosts file with (IP address X to protect the innocent):
>
># cat /etc/hosts
>#
># Internet host table
>#
>127.0.0.1       localhost
>134.253.X.X  vmtest2c.sandia.gov vmtest2c    loghost
>
>I added the following to my pam.conf:
>
>su   auth sufficient         pam_krb5.so.1
>su   account sufficient      pam_krb5.so.1
>
>When I go to su as a Kerberos account I get:
>
>bash-2.05$ su drwachdz
>Enter Kerberos password for drwachdz:
>authentication failed:  Bad encryption type
>
>The log files show:
>
>Jun 29 16:35:06 vmtest2c su: [ID 537602 auth.error] PAM-KRB5 (auth):
>krb5_verify_init_creds failed: Bad encryption type
>
>Any ideas?
>
>-dan
>
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>
>  
>

More information about the Kerberos mailing list