Incorrect Kerberos Auth Config File?

Will Fiveash William.Fiveash at sun.com
Tue Nov 7 18:42:21 EST 2006


On Tue, Nov 07, 2006 at 02:10:20PM -0800, Chris cc wrote:
> Hi Guru,
> 
> I just finish setting up a kerberos authentication; however, I seem to
> have a problem to get my initial credential to work.  I follow the
> step-by-step procedure in the url below & it still doesn't work.
> According to the error msg, it looks like my pam.conf & krb5.conf files
> don't configure correctly.
> 
> Could someone please take a look at my pam.conf & krb5.conf files &
> tell me which parameters should be removed or if you have good pam.conf
> & krb.conf file & don't mind to share w/ me, please share w/ me?
> 
> I'd like my AD users to be able to telnet into a solaris box using
> their existing AD login name & password as well.  Any ideas which
> parameter in pam.conf file do I have to add it?

What version of Solaris?  Realize that Solaris Kerberos prior to Solaris
10 does not support TCP which the AD may use in certain situations.

I know in Solaris 10 this should work in pam.conf:

# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth required           pam_unix_auth.so.1

See the examples section of 'man pam_krb5' for more.
Also look at verify_ap_req_nofail in 'man krb5.conf'.

> http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx
> 
> # getent passwd 
> test01:x:65535:101::/export/home/test01:/sbin/sh
> 
> # kinit 
> Kinit (v5): can not contact any KDC for requested realm while getting
> initial credentials.
> 
> # tail -f /var/adm/messages
> ...
> dtsession [] PAM_KRB5 (sectcred): pam_setcred failed for root  (can not
> retrieve user credentials).
> 
> Here is my krb5.conf file:
> 
> [libdefaults]
>    default_realm = WHATEVER.COM
>    dns_lookup_realm = false
>    dns_lookup_kdc = true

Do you want to locate the KDC via the DNS servers?  Is so, why
specify in the realm section below?

>    default_tkt_enctypes = des-cbc-md5 des-cbc-crc
>    default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> 
> [realms]
>    WHATEVER.COM = {
>       kdc = dc1.whatever.com

Can you ping the KDC?

>      admin_server = dc1.example.com
>      kpasswd_protocol = SET_CHANGE
>      default_domain = whatever.com
>      }
> 
> [domain_realm]
>      *.whatever.com = WHATEVER.COM
>       .whatever.com = WHATEVER.COM
      .whatever.com = WHATEVER.COM
       whatever.com = WHATEVER.COM

is better.

> [logging]
>         default = FILE:/var/krb5/kdc.log
>         kdc = FILE:/var/krb5/kdc.log
>         kdc_rotate = {
>         period = 1d
>         version = 10
>         }
> 
> [appdefaults]
>         kinit = {
>         renewable = true
>         forwardable= true
>         }
> 
> 
> Here is my pam.conf:
> 
> # login service (explicit because of pam_dial_auth)
> #
> login   auth requisite          pam_authtok_get.so.1
> login   auth required           pam_dhkeys.so.1
> # login   auth sufficient          pam_krb5.so use_first_pass
> login   auth required           pam_unix_cred.so.1
> login   auth required           pam_unix_auth.so.1
> login   auth required           pam_dial_auth.so.1
> #
> #
> # dtlogin (explicit to allow for separate control during
> # testing)
> #
> dtlogin auth requisite           pam_authtok_get.so.1
> dtlogin auth required           pam_unix_auth.so.1
> #
> #
> # su (explicit to provide failsafe root access during testing)
> #
> su      auth requisite          pam_authtok_get.so.1
> su      auth required           pam_unix_auth.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin  auth sufficient         pam_rhosts_auth.so.1
> rlogin  auth requisite          pam_authtok_get.so.1
> rlogin  auth required           pam_dhkeys.so.1
> rlogin  auth required           pam_unix_cred.so.1
> rlogin  auth required           pam_unix_auth.so.1
> #
> # Kerberized rlogin service
> #
> krlogin auth required           pam_unix_cred.so.1
> krlogin auth binding            pam_krb5.so.1
> krlogin auth required           pam_unix_auth.so.1
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> rsh     auth sufficient         pam_rhosts_auth.so.1
> rsh     auth required           pam_unix_cred.so.1
> #
> # Kerberized rsh service
> #
> krsh    auth required           pam_unix_cred.so.1
> krsh    auth binding            pam_krb5.so.1
> krsh    auth required           pam_unix_auth.so.1
> #
> # Kerberized telnet service
> #
> ktelnet auth required           pam_unix_cred.so.1
> ktelnet auth binding            pam_krb5.so.1
> ktelnet auth required           pam_unix_auth.so.1
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> ppp     auth requisite          pam_authtok_get.so.1
> ppp     auth required           pam_dhkeys.so.1
> ppp     auth required           pam_unix_cred.so.1
> ppp     auth required           pam_unix_auth.so.1
> ppp     auth required           pam_dial_auth.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other   auth requisite          pam_authtok_get.so.1
> other   auth required           pam_dhkeys.so.1
> other   auth required           pam_unix_cred.so.1
> other   auth required           pam_unix_auth.so.1
> #
> # passwd command (explicit because of a different authentication
> module)
> #
> passwd  auth required           pam_passwd_auth.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron    account required        pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account
> management
> #
> other   account requisite       pam_roles.so.1
> other   account required        pam_unix_account.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session
> management
> #
> other   session required        pam_unix_session.so.1
> #
> # Default definition for  Password management
> # Used when service name is not explicitly mentioned for password
> management
> #
> other   password required       pam_dhkeys.so.1
> other   password requisite      pam_authtok_get.so.1
> other   password requisite      pam_authtok_check.so.1
> # other   auth sufficient         pam_krb5.so use_first_pass
> other   password required       pam_authtok_store.so.1
> 
> 
> Any helps are appreciated.
> Thanks,
> -Chris
> 
> 
> 
>  
> ---------------------------------
> Sponsored Link 
> 
> Talk more and pay less. Vonage can save you up to $300 a year on your phone bill. Sign up now.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)



More information about the Kerberos mailing list