Solaris 10 + pam_krbs + Active Directory.. What am I doing wrong?

Nicolas Williams Nicolas.Williams at sun.com
Fri Mar 3 00:52:01 EST 2006 

On Thu, Mar 02, 2006 at 10:09:50PM +0000, SirBob Shark___007 wrote:
> I have now set up pam to use pam_krb5.so, but I get the error
> "krb5_verify_init_creds failed: New Password cannot be zero length" when I 
> try to log on using any pam enabled service (ssh, console, pop3 ect). 

That is very odd indeed!  We'll take a look tomorrow.

> Dispite the error, in the Windows event log, I see a sucessfull logon.

Yes, because the Kerberos V AS exchange succeeded -- that's all a KDC
needs to decide to log a successful logon event message.

> If I monitor the network trafic I see the following error:
> ========================================================
> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> ========================================================

This is normal.

> I am not sure if this is something that is a actual error, or just part of 
> the normal Krb5 communication before a user is prompted to for their 
> password.
> 
> I found that if I went into the users account on the AD controler and 
> checked off the box
> "Do not require Kerberos preauthentication" I would get the error "PAM-KRB5 
> (auth): krb5_verify_init_creds failed: Matching credential not found"

Is DNS configured on the Solaris machine?  Does the principal name you
gave the host match the canonical FQDN for its nodename?

> pam.conf     (this has changed about a thousand times in my attempts)
> =======================
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> #login auth sufficient /usr/lib/security/pam_ldap.so.1 try_first_pass
> login auth optional pam_krb5.so.1
> login auth required pam_unix_cred.so.1
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1

The man page for pam_krb5 has a correct example.  Try making pam_krb5 be
sufficient, and if you do then make sure that pam_unix_cred comes first,
before pam_krb5.

Also, the 'login' service only applies to console text logins -- you
probably don't want to use pam_krb5 for that service, but for dtlogin,
sshd-*, etc...  or just 'other'.

Nico
--

More information about the Kerberos mailing list