Solaris 10 + pam_krbs + Active Directory.. What am I doing wrong?
Will Fiveash
William.Fiveash at sun.com
Fri Mar 3 16:08:01 EST 2006
On Thu, Mar 02, 2006 at 11:52:01PM -0600, Nicolas Williams wrote:
> On Thu, Mar 02, 2006 at 10:09:50PM +0000, SirBob Shark___007 wrote:
> > I have now set up pam to use pam_krb5.so, but I get the error
> > "krb5_verify_init_creds failed: New Password cannot be zero length" when I
> > try to log on using any pam enabled service (ssh, console, pop3 ect).
>
> That is very odd indeed! We'll take a look tomorrow.
Co-worker Shawn Emery wrote the following when dealing with a similar
problem:
One thing I noticed from the error message was that the "New
password cannot be zero length" is mapped to the
KRB5_KT_KVNONOTFOUND error return value. Which means that the keys
for host/vbi.nm.nh.bar in their /etc/krb5/krb5.keytab file does not
match those that are found in AD. Check to make sure that the
Windows ktpass executable is not pre-w2k3, there is a known issue
with it that always sets the key version numbers (kvno) to 1, while
the w2k3+ AD server now enforces correct kvnos.
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the Kerberos
mailing list