Incorrect Kerberos Auth Config File?
Edward Irvine at home
eirvine at tpg.com.au
Tue Nov 7 18:00:34 EST 2006
Chris,
You might try changing your domian_realm section to look a little more like this:
[domain_realm]
whatever.com = WHATEVER.COM
.whatever.com = WHATEVER.COM
Eddie
Chris cc wrote:
> Hi Guru,
>
> I just finish setting up a kerberos authentication; however, I seem to
> have a problem to get my initial credential to work. I follow the
> step-by-step procedure in the url below & it still doesn't work.
> According to the error msg, it looks like my pam.conf & krb5.conf files
> don't configure correctly.
>
> Could someone please take a look at my pam.conf & krb5.conf files &
> tell me which parameters should be removed or if you have good pam.conf
> & krb.conf file & don't mind to share w/ me, please share w/ me?
>
> I'd like my AD users to be able to telnet into a solaris box using
> their existing AD login name & password as well. Any ideas which
> parameter in pam.conf file do I have to add it?
>
> http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx
>
> # getent passwd
> test01:x:65535:101::/export/home/test01:/sbin/sh
>
> # kinit
> Kinit (v5): can not contact any KDC for requested realm while getting
> initial credentials.
>
> # tail -f /var/adm/messages
> ...
> dtsession [] PAM_KRB5 (sectcred): pam_setcred failed for root (can not
> retrieve user credentials).
>
> Here is my krb5.conf file:
>
> [libdefaults]
> default_realm = WHATEVER.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> default_tgs_enctypes = des-cbc-md5 des-cbc-crc
>
> [realms]
> WHATEVER.COM = {
> kdc = dc1.whatever.com
> admin_server = dc1.example.com
> kpasswd_protocol = SET_CHANGE
> default_domain = whatever.com
> }
>
> [domain_realm]
> *.whatever.com = WHATEVER.COM
> .whatever.com = WHATEVER.COM
>
> [logging]
> default = FILE:/var/krb5/kdc.log
> kdc = FILE:/var/krb5/kdc.log
> kdc_rotate = {
> period = 1d
> version = 10
> }
>
> [appdefaults]
> kinit = {
> renewable = true
> forwardable= true
> }
>
>
> Here is my pam.conf:
>
> # login service (explicit because of pam_dial_auth)
> #
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> # login auth sufficient pam_krb5.so use_first_pass
> login auth required pam_unix_cred.so.1
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
> #
> #
> # dtlogin (explicit to allow for separate control during
> # testing)
> #
> dtlogin auth requisite pam_authtok_get.so.1
> dtlogin auth required pam_unix_auth.so.1
> #
> #
> # su (explicit to provide failsafe root access during testing)
> #
> su auth requisite pam_authtok_get.so.1
> su auth required pam_unix_auth.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin auth sufficient pam_rhosts_auth.so.1
> rlogin auth requisite pam_authtok_get.so.1
> rlogin auth required pam_dhkeys.so.1
> rlogin auth required pam_unix_cred.so.1
> rlogin auth required pam_unix_auth.so.1
> #
> # Kerberized rlogin service
> #
> krlogin auth required pam_unix_cred.so.1
> krlogin auth binding pam_krb5.so.1
> krlogin auth required pam_unix_auth.so.1
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> rsh auth sufficient pam_rhosts_auth.so.1
> rsh auth required pam_unix_cred.so.1
> #
> # Kerberized rsh service
> #
> krsh auth required pam_unix_cred.so.1
> krsh auth binding pam_krb5.so.1
> krsh auth required pam_unix_auth.so.1
> #
> # Kerberized telnet service
> #
> ktelnet auth required pam_unix_cred.so.1
> ktelnet auth binding pam_krb5.so.1
> ktelnet auth required pam_unix_auth.so.1
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> ppp auth requisite pam_authtok_get.so.1
> ppp auth required pam_dhkeys.so.1
> ppp auth required pam_unix_cred.so.1
> ppp auth required pam_unix_auth.so.1
> ppp auth required pam_dial_auth.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth required pam_unix_auth.so.1
> #
> # passwd command (explicit because of a different authentication
> module)
> #
> passwd auth required pam_passwd_auth.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron account required pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account
> management
> #
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session
> management
> #
> other session required pam_unix_session.so.1
> #
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for password
> management
> #
> other password required pam_dhkeys.so.1
> other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1
> # other auth sufficient pam_krb5.so use_first_pass
> other password required pam_authtok_store.so.1
>
>
> Any helps are appreciated.
> Thanks,
> -Chris
>
>
>
>
> ---------------------------------
> Sponsored Link
>
> Talk more and pay less. Vonage can save you up to $300 a year on your phone bill. Sign up now.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20061108/1adac779/attachment.bin
More information about the Kerberos
mailing list