Solaris + KRB5 + Active Directory... Almost working

SirBob Shark___007 shark___007 at
Thu Mar 2 17:22:19 EST 2006

I am trying to set up my Solaris 10 box so that I can authenticate against 
my Active directory Domain. For the application that I am using this for all 
I need to do is authenticate against the domain, I do not need to be able to 
return other info (like home directory, user info, ect)

I have krb5 set up and when I do a kinit username it will authenticate 
against the active directory domain, and it reports success.

I have now set up pam to use, but I get the error
"krb5_verify_init_creds failed: New Password cannot be zero length" when I 
try to log on using any pam enabled service (ssh, console, pop3 ect). 
Dispite the error, in the Windows event log, I see a sucessfull logon.

I created a account on the AD domain and used the ktpass command to create 
the keytab file:
ktpass -princ host/ at MYDOMAIN.COM -mapuser 
my_solaris_box -pass My_Password_for_This_Account -out my_solaris_box.keytab

I then moved that keytab file to /etc/krb5/krb5.keytab.  I also tried using 
ktutil to read the file and write a new keytab file.

When I enable pam_krb5 debugging I get the following:
[ID 634615 local0.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
[ID 896952 local0.debug] pam_unix_auth: entering pam_sm_authenticate()
[ID 655841 local0.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
[ID 549540 local0.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: 
[ID 704353 local0.debug] PAM-KRB5 (auth): Forwardable tickets requested
[ID 912857 local0.debug] PAM-KRB5 (auth): Renewable tickets requested
[ID 179272 local0.debug] PAM-KRB5 (auth): attempt_krb5_auth: 
krb5_get_init_creds_password returns: SUCCESS
[ID 537602 local0.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: New 
password cannot be zero length
[ID 399723 local0.debug] PAM-KRB5 (auth): clearing initcreds in 
[ID 833335 local0.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 4
[ID 914654 local0.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, 
result =4, env ='KRB5CCNAME=FILE:/tmp/krb5cc_502', age = 0, status = 4
[ID 525286 local0.debug] PAM-KRB5 (auth): end: System error
[ID 490997 local0.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 4

In the NT event log I can see the following when I try to log on:
Event Type:	Success Audit
Event Source:	Security
Event Category:	Account Logon
Event ID:	672
Date:		3/2/2006
Time:		11:07:58 AM
Computer:	MY_AD_SERVER
Authentication Ticket Request:
	User Name:		my_test_user
	Supplied Realm Name:	MYDOMAIN.COM
	User ID:			MYDOMAIN\my_test_user
	Service Name:		krbtgt
	Service ID:		MYDOMAIN\krbtgt
	Ticket Options:		0x40800010
	Result Code:		-
	Ticket Encryption Type:	0x17
	Pre-Authentication Type:	2
	Client Address:
	Certificate Issuer Name:
	Certificate Serial Number:
	Certificate Thumbprint:

For more information, see Help and Support Center at

If I monitor the network trafic I see the following error:
I am not sure if this is something that is a actual error, or just part of 
the normal Krb5 communication before a user is prompted to for their 

I found that if I went into the users account on the AD controler and 
checked off the box
"Do not require Kerberos preauthentication" I would get the error "PAM-KRB5 
(auth): krb5_verify_init_creds failed: Matching credential not found"

The Windows account i am trying to use is active and I can log onto windows 
workstations with it.  I have also tried a number of other windows accounts 
with the same results.

Windows Server = Windows Server 2003 Service Pack 1
Solaris System = Solaris 10

Does any one have any ideas?


Here are the details of the files that I am using:

default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false

kdc =
admin_server =

[domain_realm] = MYDOMAIN.COM = MYDOMAIN.COM

default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10

kinit = {
renewable = true
forwardable= true
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

gkadmin = {
help_url =

kdc_ports = 88,750

profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth

pam.conf     (this has changed about a thousand times in my attempts)
login auth requisite
login auth required
#login auth sufficient /usr/lib/security/ try_first_pass
login auth optional
login auth required
login auth required
login auth required

# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient
rlogin auth requisite
rlogin auth required
rlogin auth required
rlogin auth required

# Kerberized rlogin service
krlogin auth required
krlogin auth binding
krlogin auth required

# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient
rsh auth required

# Kerberized rsh service
krsh auth required
krsh auth binding
krsh auth required

# Kerberized telnet service
ktelnet auth required
ktelnet auth binding
ktelnet auth required

# PPP service (explicit because of pam_dial_auth)
ppp auth requisite
ppp auth required
ppp auth required
ppp auth required
ppp auth required

# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#other auth requisite
#other auth required
#other auth required
#other auth required
#other auth sufficient try_first_pass
#other auth required /usr/lib/security/
other auth required

# passwd command (explicit because of a different authentication module)
passwd auth required

# cron service (explicit because of non-usage of
cron account required

# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite
other account required
#other account required /usr/lib/security/

# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required

# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required
other password requisite
other password requisite
other password required

More information about the Kerberos mailing list