Solaris 10 + pam_krbs + Active Directory.. What am I doing wrong?

Will Fiveash William.Fiveash at
Fri Mar 3 16:08:01 EST 2006

On Thu, Mar 02, 2006 at 11:52:01PM -0600, Nicolas Williams wrote:
> On Thu, Mar 02, 2006 at 10:09:50PM +0000, SirBob Shark___007 wrote:
> > I have now set up pam to use, but I get the error
> > "krb5_verify_init_creds failed: New Password cannot be zero length" when I 
> > try to log on using any pam enabled service (ssh, console, pop3 ect). 
> That is very odd indeed!  We'll take a look tomorrow.

Co-worker Shawn Emery wrote the following when dealing with a similar

    One thing I noticed from the error message was that the "New
    password cannot be zero length" is mapped to the
    KRB5_KT_KVNONOTFOUND error return value.  Which means that the keys
    for host/ in their /etc/krb5/krb5.keytab file does not
    match those that are found in AD.  Check to make sure that the
    Windows ktpass executable is not pre-w2k3, there is a known issue
    with it that always sets the key version numbers (kvno) to 1, while
    the w2k3+ AD server now enforces correct kvnos.

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the Kerberos mailing list