Incorrect Kerberos Auth Config File?
Chris cc
lazyboy_2k at yahoo.com
Tue Nov 7 17:10:20 EST 2006
Hi Guru,
I just finish setting up a kerberos authentication; however, I seem to
have a problem to get my initial credential to work. I follow the
step-by-step procedure in the url below & it still doesn't work.
According to the error msg, it looks like my pam.conf & krb5.conf files
don't configure correctly.
Could someone please take a look at my pam.conf & krb5.conf files &
tell me which parameters should be removed or if you have good pam.conf
& krb.conf file & don't mind to share w/ me, please share w/ me?
I'd like my AD users to be able to telnet into a solaris box using
their existing AD login name & password as well. Any ideas which
parameter in pam.conf file do I have to add it?
http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx
# getent passwd
test01:x:65535:101::/export/home/test01:/sbin/sh
# kinit
Kinit (v5): can not contact any KDC for requested realm while getting
initial credentials.
# tail -f /var/adm/messages
...
dtsession [] PAM_KRB5 (sectcred): pam_setcred failed for root (can not
retrieve user credentials).
Here is my krb5.conf file:
[libdefaults]
default_realm = WHATEVER.COM
dns_lookup_realm = false
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
[realms]
WHATEVER.COM = {
kdc = dc1.whatever.com
admin_server = dc1.example.com
kpasswd_protocol = SET_CHANGE
default_domain = whatever.com
}
[domain_realm]
*.whatever.com = WHATEVER.COM
.whatever.com = WHATEVER.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
version = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
Here is my pam.conf:
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
# login auth sufficient pam_krb5.so use_first_pass
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
#
# dtlogin (explicit to allow for separate control during
# testing)
#
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_unix_auth.so.1
#
#
# su (explicit to provide failsafe root access during testing)
#
su auth requisite pam_authtok_get.so.1
su auth required pam_unix_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication
module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password
management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
# other auth sufficient pam_krb5.so use_first_pass
other password required pam_authtok_store.so.1
Any helps are appreciated.
Thanks,
-Chris
---------------------------------
Sponsored Link
Talk more and pay less. Vonage can save you up to $300 a year on your phone bill. Sign up now.
More information about the Kerberos
mailing list