Solaris + KRB5 + Active Directory... Almost working

SirBob Shark___007 shark___007 at hotmail.com
Thu Mar 2 17:22:19 EST 2006


I am trying to set up my Solaris 10 box so that I can authenticate against 
my Active directory Domain. For the application that I am using this for all 
I need to do is authenticate against the domain, I do not need to be able to 
return other info (like home directory, user info, ect)

I have krb5 set up and when I do a kinit username it will authenticate 
against the active directory domain, and it reports success.

I have now set up pam to use pam_krb5.so, but I get the error
"krb5_verify_init_creds failed: New Password cannot be zero length" when I 
try to log on using any pam enabled service (ssh, console, pop3 ect). 
Dispite the error, in the Windows event log, I see a sucessfull logon.

I created a account on the AD domain and used the ktpass command to create 
the keytab file:
ktpass -princ host/my_solaris_box.mydomain.com at MYDOMAIN.COM -mapuser 
my_solaris_box -pass My_Password_for_This_Account -out my_solaris_box.keytab

I then moved that keytab file to /etc/krb5/krb5.keytab.  I also tried using 
ktutil to read the file and write a new keytab file.

When I enable pam_krb5 debugging I get the following:
============================================================================================
[ID 634615 local0.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
[ID 896952 local0.debug] pam_unix_auth: entering pam_sm_authenticate()
[ID 655841 local0.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
[ID 549540 local0.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: 
user='testuser'
[ID 704353 local0.debug] PAM-KRB5 (auth): Forwardable tickets requested
[ID 912857 local0.debug] PAM-KRB5 (auth): Renewable tickets requested
[ID 179272 local0.debug] PAM-KRB5 (auth): attempt_krb5_auth: 
krb5_get_init_creds_password returns: SUCCESS
[ID 537602 local0.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: New 
password cannot be zero length
[ID 399723 local0.debug] PAM-KRB5 (auth): clearing initcreds in 
pam_authenticate()
[ID 833335 local0.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 4
[ID 914654 local0.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, 
result =4, env ='KRB5CCNAME=FILE:/tmp/krb5cc_502', age = 0, status = 4
[ID 525286 local0.debug] PAM-KRB5 (auth): end: System error
[ID 490997 local0.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 4
============================================================================================

In the NT event log I can see the following when I try to log on:
===================================================================================
Event Type:	Success Audit
Event Source:	Security
Event Category:	Account Logon
Event ID:	672
Date:		3/2/2006
Time:		11:07:58 AM
User:		NT AUTHORITY\SYSTEM
Computer:	MY_AD_SERVER
Description:
Authentication Ticket Request:
	User Name:		my_test_user
	Supplied Realm Name:	MYDOMAIN.COM
	User ID:			MYDOMAIN\my_test_user
	Service Name:		krbtgt
	Service ID:		MYDOMAIN\krbtgt
	Ticket Options:		0x40800010
	Result Code:		-
	Ticket Encryption Type:	0x17
	Pre-Authentication Type:	2
	Client Address:		192.168.1.23
	Certificate Issuer Name:
	Certificate Serial Number:
	Certificate Thumbprint:

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
===================================================================================

If I monitor the network trafic I see the following error:
========================================================
KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
========================================================
I am not sure if this is something that is a actual error, or just part of 
the normal Krb5 communication before a user is prompted to for their 
password.

I found that if I went into the users account on the AD controler and 
checked off the box
"Do not require Kerberos preauthentication" I would get the error "PAM-KRB5 
(auth): krb5_verify_init_creds failed: Matching credential not found"

The Windows account i am trying to use is active and I can log onto windows 
workstations with it.  I have also tried a number of other windows accounts 
with the same results.


Windows Server = Windows Server 2003 Service Pack 1
Solaris System = Solaris 10

Does any one have any ideas?


-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*


Here are the details of the files that I am using:

krb5.conf:
=======================
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
MYDOMAIN.COM = {
kdc = my_ad_server.mydomain.com
admin_server = my_ad_server.mydomain.com
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}

[appdefaults]
kinit = {
renewable = true
forwardable= true
}
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

gkadmin = {
help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
=======================

kdc.conf
=======================
[kdcdefaults]
kdc_ports = 88,750

[realms]
MYDOMAIN.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
}
=======================

pam.conf     (this has changed about a thousand times in my attempts)
=======================
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
#login auth sufficient /usr/lib/security/pam_ldap.so.1 try_first_pass
login auth optional pam_krb5.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1


# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1

# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1

# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1

# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1

# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1

# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1

# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#other auth requisite pam_authtok_get.so.1
#other auth required pam_dhkeys.so.1
#other auth required pam_ldap.so.1
#other auth required pam_unix_cred.so.1
#other auth sufficient pam_unix_auth.so.1 try_first_pass
#other auth required /usr/lib/security/pam_ldap.so.1
other auth required pam_krb5.so.1

#
# passwd command (explicit because of a different authentication module)
passwd auth required pam_passwd_auth.so.1

#
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1

#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#other account required /usr/lib/security/pam_krb5.so.1

# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1

#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
=======================





More information about the Kerberos mailing list