Solaris + KRB5 + Active Directory... Almost working
SirBob Shark___007
shark___007 at hotmail.com
Thu Mar 2 17:22:19 EST 2006
I am trying to set up my Solaris 10 box so that I can authenticate against
my Active directory Domain. For the application that I am using this for all
I need to do is authenticate against the domain, I do not need to be able to
return other info (like home directory, user info, ect)
I have krb5 set up and when I do a kinit username it will authenticate
against the active directory domain, and it reports success.
I have now set up pam to use pam_krb5.so, but I get the error
"krb5_verify_init_creds failed: New Password cannot be zero length" when I
try to log on using any pam enabled service (ssh, console, pop3 ect).
Dispite the error, in the Windows event log, I see a sucessfull logon.
I created a account on the AD domain and used the ktpass command to create
the keytab file:
ktpass -princ host/my_solaris_box.mydomain.com at MYDOMAIN.COM -mapuser
my_solaris_box -pass My_Password_for_This_Account -out my_solaris_box.keytab
I then moved that keytab file to /etc/krb5/krb5.keytab. I also tried using
ktutil to read the file and write a new keytab file.
When I enable pam_krb5 debugging I get the following:
============================================================================================
[ID 634615 local0.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
[ID 896952 local0.debug] pam_unix_auth: entering pam_sm_authenticate()
[ID 655841 local0.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
[ID 549540 local0.debug] PAM-KRB5 (auth): attempt_krb5_auth: start:
user='testuser'
[ID 704353 local0.debug] PAM-KRB5 (auth): Forwardable tickets requested
[ID 912857 local0.debug] PAM-KRB5 (auth): Renewable tickets requested
[ID 179272 local0.debug] PAM-KRB5 (auth): attempt_krb5_auth:
krb5_get_init_creds_password returns: SUCCESS
[ID 537602 local0.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: New
password cannot be zero length
[ID 399723 local0.debug] PAM-KRB5 (auth): clearing initcreds in
pam_authenticate()
[ID 833335 local0.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 4
[ID 914654 local0.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env,
result =4, env ='KRB5CCNAME=FILE:/tmp/krb5cc_502', age = 0, status = 4
[ID 525286 local0.debug] PAM-KRB5 (auth): end: System error
[ID 490997 local0.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 4
============================================================================================
In the NT event log I can see the following when I try to log on:
===================================================================================
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 672
Date: 3/2/2006
Time: 11:07:58 AM
User: NT AUTHORITY\SYSTEM
Computer: MY_AD_SERVER
Description:
Authentication Ticket Request:
User Name: my_test_user
Supplied Realm Name: MYDOMAIN.COM
User ID: MYDOMAIN\my_test_user
Service Name: krbtgt
Service ID: MYDOMAIN\krbtgt
Ticket Options: 0x40800010
Result Code: -
Ticket Encryption Type: 0x17
Pre-Authentication Type: 2
Client Address: 192.168.1.23
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
===================================================================================
If I monitor the network trafic I see the following error:
========================================================
KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
========================================================
I am not sure if this is something that is a actual error, or just part of
the normal Krb5 communication before a user is prompted to for their
password.
I found that if I went into the users account on the AD controler and
checked off the box
"Do not require Kerberos preauthentication" I would get the error "PAM-KRB5
(auth): krb5_verify_init_creds failed: Matching credential not found"
The Windows account i am trying to use is active and I can log onto windows
workstations with it. I have also tried a number of other windows accounts
with the same results.
Windows Server = Windows Server 2003 Service Pack 1
Solaris System = Solaris 10
Does any one have any ideas?
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Here are the details of the files that I am using:
krb5.conf:
=======================
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MYDOMAIN.COM = {
kdc = my_ad_server.mydomain.com
admin_server = my_ad_server.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
gkadmin = {
help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
=======================
kdc.conf
=======================
[kdcdefaults]
kdc_ports = 88,750
[realms]
MYDOMAIN.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
}
=======================
pam.conf (this has changed about a thousand times in my attempts)
=======================
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
#login auth sufficient /usr/lib/security/pam_ldap.so.1 try_first_pass
login auth optional pam_krb5.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#other auth requisite pam_authtok_get.so.1
#other auth required pam_dhkeys.so.1
#other auth required pam_ldap.so.1
#other auth required pam_unix_cred.so.1
#other auth sufficient pam_unix_auth.so.1 try_first_pass
#other auth required /usr/lib/security/pam_ldap.so.1
other auth required pam_krb5.so.1
#
# passwd command (explicit because of a different authentication module)
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#other account required /usr/lib/security/pam_krb5.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
=======================
More information about the Kerberos
mailing list