Kerberos authentication does not seem to work when auditing is enabled on Solaris 9

Daniels, James (Contractor) (J6B) James.R.Daniels.ctr at dla.mil
Fri Oct 28 09:51:02 EDT 2005 

I am running Solaris 9 with auditing turned on (etc/security/bsmconv).
The problem I am having is that I can not logon with dtlogin via
Kerberos authentication as long as auditing is enabled.  If I disable
auditing I have no problem logging in with my Kerberos account.  I am up
to the latest patch cluster. I have been working SUN for over a month
and not getting anywhere.  SSH, login, kinit works using Kerberos.  The
only time I have a problem is when trying to log in using dtlogin with
Kerberos.  When I try to login with my Kerberos account the screen
flashes and then sends me back out to the login screen.  the account I
am using resides on the KDC which is a Windows 2003 DC and also within
the passwd file.  The passwords to not match so I can tell which one I
am actually logging into.  
 
here is a copy of my pam.conf file which works for ssh both Kerberos and
local, login both Kerberos and local, and dtlogin local  The only issue
I have is dtlogin using Kerberos authentication with auditing enabled.
turn auditing off and I get right in. Any help would be greatly
appreciated.  I have duplicated the same symptoms on two different
Solaris 9 systems.  My Solaris 8 systems are working fine. 
 
# more pam.conf
#
#ident  "@(#)pam.conf   1.16    01/01/24 SMI"
#
# Copyright (c) 1996-2000 by Sun Microsystems, Inc.
# All rights reserved.
#
# PAM configuration
#
# Authentication management
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth sufficient         pam_krb5.so.1 try_first_pass
#
#dtlogin        auth requisite          pam_authtok_get.so.1
#dtlogin        auth required           pam_dhkeys.so.1
dtlogin auth sufficient         pam_unix.so.1
dtlogin auth sufficient         pam_krb5.so.1 try_first_pass debug
#
 
sshd    auth requisite          pam_authtok_get.so.1
sshd    auth required           pam_dhkeys.so.1
sshd    auth sufficient         pam_unix_auth.so.1
sshd    auth sufficient         pam_krb5.so.1 use_first_pass debug
#
dtsession       auth requisite          pam_authtok_get.so.1
dtsession       auth required           pam_dhkeys.so.1
dtsession       auth sufficient         pam_unix_auth.so.1
dtsession       auth sufficient         pam_krb5.so.1 try_first_pass
debug
#
# Leave this stack for the default
#
########################################################################
####
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_auth.so.1
#
########################################################################
####
#
# Account management
#
login   account requisite               pam_roles.so.1 
login   account required                pam_projects.so.1
login   account required                pam_unix_account.so.1
#
dtlogin account requisite               pam_roles.so.1 
dtlogin account required                pam_projects.so.1
dtlogin account required                pam_unix_account.so.1
#
other   account requisite               pam_roles.so.1 
other   account required                pam_projects.so.1
other   account required                pam_unix_account.so.1
# 
# Session management
#
other   session sufficient              pam_krb5.so.1
other   session required                pam_unix_session.so.1
#
# Password management
# Leave stack for changing local passwords
#
########################################################################
############
#
other   password required               pam_dhkeys.so.1
other   password requisite              pam_authtok_get.so.1
other   password requisite              pam_authtok_check.so.1
other   password required               pam_authtok_store.so.1
#
########################################################################
############
#
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional           pam_krb5.so.1 try_first_pass
#login  auth optional           pam_krb5.so.1 try_first_pass
#dtlogin        auth optional           pam_krb5.so.1 try_first_pass
#other  auth optional           pam_krb5.so.1 try_first_pass
#dtlogin        account optional        pam_krb5.so.1
#other  account optional        pam_krb5.so.1
#other  session optional        pam_krb5.so.1
#other  password optional       pam_krb5.so.1 try_first_pass
#
# Support for Solaris PPP (sppp)
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth    required                pam_dial_auth.so.1 
ppp     account requisite               pam_roles.so.1 
ppp     account required                pam_projects.so.1
ppp     account required                pam_unix_account.so.1
ppp     session required                pam_unix_session.so.1
passwd  auth required           pam_passwd_auth.so.1
cron    account required                pam_unix_account.so.1 
#cron   account optional                pam_krb5.so.1 
# 

 
krb5.conf
 
# 
# Copyright (c) 1998, by Sun Microsystems, Inc.
# All rights reserved.
#
#pragma ident   "@(#)krb5.conf  1.10    98/11/11 SMI"
 
[libdefaults]
        default_realm = local.domain
        default_tkt_enctypes = des-cbc-md5
        default_tgs_enctype = des-cbc-md5
 
[realms]
        local.domain= {
                kdc = xxx.xxx.xxx.x
                kdc = xxx.xxx.xxx.x
                admin_server = xxx.xx.xxx.x
                kpasswd_server = xxx.xx.xx.xx
                kpasswd_protocol= SET_CHANGE
        }
 
[domain_realm]
        .local.domain= LOCAL.DOMAIN
        local.domain= LOCAL.DOMAIN
 
[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log

More information about the Kerberos mailing list