Kerberos authentication does not seem to work when auditing is enabled on Solaris 9

[Nicolas Williams]

On Fri, Oct 28, 2005 at 09:51:02AM -0400, Daniels, James (Contractor) (J6B) wrote:
> I am running Solaris 9 with auditing turned on (etc/security/bsmconv).
> The problem I am having is that I can not logon with dtlogin via
> Kerberos authentication as long as auditing is enabled.  If I disable
> auditing I have no problem logging in with my Kerberos account.  I am up
> to the latest patch cluster. I have been working SUN for over a month
> and not getting anywhere.  SSH, login, kinit works using Kerberos.  The
> only time I have a problem is when trying to log in using dtlogin with
> Kerberos.  When I try to login with my Kerberos account the screen
> flashes and then sends me back out to the login screen.  the account I
> am using resides on the KDC which is a Windows 2003 DC and also within
> the passwd file.  The passwords to not match so I can tell which one I
> am actually logging into.  
>  
> here is a copy of my pam.conf file which works for ssh both Kerberos and
> local, login both Kerberos and local, and dtlogin local  The only issue
> I have is dtlogin using Kerberos authentication with auditing enabled.
> turn auditing off and I get right in. Any help would be greatly
> appreciated.  I have duplicated the same symptoms on two different
> Solaris 9 systems.  My Solaris 8 systems are working fine. 

You should definitely add pam_krb5 to the account stacks of the services
that use pam_krb5 in their auth stacks as well.

I don't know if this will fix the problem though.  Let me know.

Nico
--