Kerberos PAM help on Solaris 10

Erich Weiler weiler at soe.ucsc.edu
Fri Jun 30 11:54:43 EDT 2006 

Hi All-

I'm hoping some of you Sun Kerberos gurus can tell me if my problem can 
be resolved... Basically I have my test Solaris 10 system set up to 
authenticate, via PAM, in 3 ways.

First it checks if you have a local account and then let's you in if so.

Second it checks to see if you have a Kerberos account and if so 
authenticates you using Kerberos (getting a ticket) and uses LDAP 
account information.

Third, if you have no Kerberos account, it checks your LDAP password and 
if correct let's you in using your LDAP account info.

Basically I can get things working but the Kerberos PAM module is VERY 
chatty! If I log in with my LDAP password, pam_krb5 always tells me 
"Kerberos authentication failed" during dtlogin or ssh login, and then 
let's me in. But it's very annoying, and will confuse my users.

Example: (logging in using LDAP password):

--------------------------
% ssh weiler at testhost
weiler at testhost's password:
Kerberos authentication failed

Last login: Fri Jun 30 08:33:26 2006 from banshee.cse.ucs

You have mail.
testhost:/home/weiler%
--------------------------

And if I use my Kerberos password it gives me no errors and logs me in. 
With dtlogin, a pop-up window actually pops up saying the same thing, 
"Kerberos Authentication Failed" and you have to click the "OK" button 
and then it logs you in.

I guess my question is: Is there any way to tell Kerberos to be quiet? I 
don't care if Kerberos authentication fails when people are logging in 
using LDAP credentials, I just don't want it to keep telling me it 
failed every time. the "nowarn" flag used with pam_krb5.so.1 in pam.conf 
doesn't seem to help....

Here's my /etc/pam.conf if it will help:

login auth requisite pam_authtok_get.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth sufficient pam_krb5.so.1
login auth sufficient pam_ldap.so.1
#
dtsession auth sufficient pam_unix_auth.so.1
dtsession auth sufficient pam_krb5.so.1
dtsession auth sufficient pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other auth sufficient pam_krb5.so.1 nowarn
other auth sufficient pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth sufficient pam_passwd_auth.so.1
passwd auth sufficient pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
passwd account sufficient pam_unix_account.so.1
passwd account sufficient pam_ldap.so.1
#
other account sufficient pam_unix_account.so.1
other account sufficient pam_ldap.so.1
other account sufficient pam_krb5.so.1 nowarn
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session sufficient pam_unix_session.so.1
other session sufficient pam_ldap.so.1
other session sufficient pam_krb5.so.1 nowarn
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1

Thanks a million in advance for any insight!

ciao, erich

More information about the Kerberos mailing list