Solaris 9 Pam problem

Wachdorf, Daniel R drwachd at sandia.gov
Thu Jun 30 18:08:33 EDT 2005 

I symlinked /etc/v5srvtab to /etc/krb5/krb5.keytab - which is what seam
is looking for.

I looked at the server logs - it's issuing a ticket fine.  I even
sniffed the traffic, the as request goes through fine.

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of scanell
Sent: Thursday, June 30, 2005 3:58 PM
To: Kerberos list
Subject: Re: Solaris 9 Pam problem

Sorry, missed your reference to /etc/krb5/krb5.keytab

I can't tell from you email if you are using SEAM or MIT Kerberos....
but this I know holds true for the MIT Kerberos 1.4...

Get a copy of the keytab file from the master and place it
accordingly...
MIT Kerberos 1.4 is /usr/local/var/krb5kdc/<name>.keytab

For SEAM, I believe it goes into the /etc/krb5 directory... do not
recall for sure.

Since authentication is local with su, you need the key to decrypt the
password which is in the keytab file.

Check you master server logs and see if it is giving you a failure to
decrypt... that would be a good indication that the local host cannot
checksum the tickets because the key is on the master where the password
ticket was create... now you need that key to decrypt on the client
side.

Someone will probably say I am all wet, but this is what I had to do for
ssh between Solaris 9 boxes using pam_krb5.so.1....
Once I place a copy of the master keytab file on the SUN server, I was
then able to authenticate using Kerberos.

Steve
Daniel Wachdorf wrote:

>I am trying to setup pam (with su for starters) on a solaris 9 system.
Its
>up to date with all the recommended patches.
>
>I have a valid krb5.conf file in /etc/ and sym-linked to
>/etc/krb5/krb5.conf.  It has the following in libdefaults:
>
>default_tkt_enctypes = des-cbc-crc
>default_tgs_enctypes = des-cbc-crc
>
>I created a keytab and symlinked it to /etc/krb5/krb5.keytab.
>
># klist -e -k /etc/krb5/krb5.keytab
>Keytab name: FILE:/etc/krb5/krb5.keytab
>KVNO Principal
>---- 
>-----------------------------------------------------------------------
---
>   2 host/vmtest2c.sandia.gov at dce.sandia.gov
><mailto:host/vmtest2c.sandia.gov at dce.sandia.gov>  (DES-CBC-CRC)
>   2 host/vmtest2c.sandia.gov at dce.sandia.gov
><mailto:host/vmtest2c.sandia.gov at dce.sandia.gov>  (DES-CBC-MD5)
>
>I have my /etc/hosts file with (IP address X to protect the innocent):
>
># cat /etc/hosts
>#
># Internet host table
>#
>127.0.0.1       localhost
>134.253.X.X  vmtest2c.sandia.gov vmtest2c    loghost
>
>I added the following to my pam.conf:
>
>su   auth sufficient         pam_krb5.so.1
>su   account sufficient      pam_krb5.so.1
>
>When I go to su as a Kerberos account I get:
>
>bash-2.05$ su drwachdz
>Enter Kerberos password for drwachdz:
>authentication failed:  Bad encryption type
>
>The log files show:
>
>Jun 29 16:35:06 vmtest2c su: [ID 537602 auth.error] PAM-KRB5 (auth):
>krb5_verify_init_creds failed: Bad encryption type
>
>Any ideas?
>
>-dan
>
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>
>  
>
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list