Incorrect Kerberos Auth Config File?

Chris cc lazyboy_2k at yahoo.com
Tue Nov 7 17:10:20 EST 2006 

Hi Guru,

I just finish setting up a kerberos authentication; however, I seem to
have a problem to get my initial credential to work.  I follow the
step-by-step procedure in the url below & it still doesn't work.
According to the error msg, it looks like my pam.conf & krb5.conf files
don't configure correctly.

Could someone please take a look at my pam.conf & krb5.conf files &
tell me which parameters should be removed or if you have good pam.conf
& krb.conf file & don't mind to share w/ me, please share w/ me?

I'd like my AD users to be able to telnet into a solaris box using
their existing AD login name & password as well.  Any ideas which
parameter in pam.conf file do I have to add it?

http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx

# getent passwd 
test01:x:65535:101::/export/home/test01:/sbin/sh

# kinit 
Kinit (v5): can not contact any KDC for requested realm while getting
initial credentials.

# tail -f /var/adm/messages
...
dtsession [] PAM_KRB5 (sectcred): pam_setcred failed for root  (can not
retrieve user credentials).

Here is my krb5.conf file:

[libdefaults]
   default_realm = WHATEVER.COM
   dns_lookup_realm = false
   dns_lookup_kdc = true
   default_tkt_enctypes = des-cbc-md5 des-cbc-crc
   default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[realms]
   WHATEVER.COM = {
      kdc = dc1.whatever.com
     admin_server = dc1.example.com
     kpasswd_protocol = SET_CHANGE
     default_domain = whatever.com
     }

[domain_realm]
     *.whatever.com = WHATEVER.COM
      .whatever.com = WHATEVER.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
        period = 1d
        version = 10
        }

[appdefaults]
        kinit = {
        renewable = true
        forwardable= true
        }


Here is my pam.conf:

# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
# login   auth sufficient          pam_krb5.so use_first_pass
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
#
# dtlogin (explicit to allow for separate control during
# testing)
#
dtlogin auth requisite           pam_authtok_get.so.1
dtlogin auth required           pam_unix_auth.so.1
#
#
# su (explicit to provide failsafe root access during testing)
#
su      auth requisite          pam_authtok_get.so.1
su      auth required           pam_unix_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth binding            pam_krb5.so.1
krlogin auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth binding            pam_krb5.so.1
krsh    auth required           pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication
module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password
management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
# other   auth sufficient         pam_krb5.so use_first_pass
other   password required       pam_authtok_store.so.1


Any helps are appreciated.
Thanks,
-Chris



 
---------------------------------
Sponsored Link 

Talk more and pay less. Vonage can save you up to $300 a year on your phone bill. Sign up now.

More information about the Kerberos mailing list