Incorrect Kerberos Auth Config File?
Will Fiveash
William.Fiveash at sun.com
Tue Nov 7 18:42:21 EST 2006
On Tue, Nov 07, 2006 at 02:10:20PM -0800, Chris cc wrote:
> Hi Guru,
>
> I just finish setting up a kerberos authentication; however, I seem to
> have a problem to get my initial credential to work. I follow the
> step-by-step procedure in the url below & it still doesn't work.
> According to the error msg, it looks like my pam.conf & krb5.conf files
> don't configure correctly.
>
> Could someone please take a look at my pam.conf & krb5.conf files &
> tell me which parameters should be removed or if you have good pam.conf
> & krb.conf file & don't mind to share w/ me, please share w/ me?
>
> I'd like my AD users to be able to telnet into a solaris box using
> their existing AD login name & password as well. Any ideas which
> parameter in pam.conf file do I have to add it?
What version of Solaris? Realize that Solaris Kerberos prior to Solaris
10 does not support TCP which the AD may use in certain situations.
I know in Solaris 10 this should work in pam.conf:
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
See the examples section of 'man pam_krb5' for more.
Also look at verify_ap_req_nofail in 'man krb5.conf'.
> http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx
>
> # getent passwd
> test01:x:65535:101::/export/home/test01:/sbin/sh
>
> # kinit
> Kinit (v5): can not contact any KDC for requested realm while getting
> initial credentials.
>
> # tail -f /var/adm/messages
> ...
> dtsession [] PAM_KRB5 (sectcred): pam_setcred failed for root (can not
> retrieve user credentials).
>
> Here is my krb5.conf file:
>
> [libdefaults]
> default_realm = WHATEVER.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
Do you want to locate the KDC via the DNS servers? Is so, why
specify in the realm section below?
> default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> default_tgs_enctypes = des-cbc-md5 des-cbc-crc
>
> [realms]
> WHATEVER.COM = {
> kdc = dc1.whatever.com
Can you ping the KDC?
> admin_server = dc1.example.com
> kpasswd_protocol = SET_CHANGE
> default_domain = whatever.com
> }
>
> [domain_realm]
> *.whatever.com = WHATEVER.COM
> .whatever.com = WHATEVER.COM
.whatever.com = WHATEVER.COM
whatever.com = WHATEVER.COM
is better.
> [logging]
> default = FILE:/var/krb5/kdc.log
> kdc = FILE:/var/krb5/kdc.log
> kdc_rotate = {
> period = 1d
> version = 10
> }
>
> [appdefaults]
> kinit = {
> renewable = true
> forwardable= true
> }
>
>
> Here is my pam.conf:
>
> # login service (explicit because of pam_dial_auth)
> #
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> # login auth sufficient pam_krb5.so use_first_pass
> login auth required pam_unix_cred.so.1
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
> #
> #
> # dtlogin (explicit to allow for separate control during
> # testing)
> #
> dtlogin auth requisite pam_authtok_get.so.1
> dtlogin auth required pam_unix_auth.so.1
> #
> #
> # su (explicit to provide failsafe root access during testing)
> #
> su auth requisite pam_authtok_get.so.1
> su auth required pam_unix_auth.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin auth sufficient pam_rhosts_auth.so.1
> rlogin auth requisite pam_authtok_get.so.1
> rlogin auth required pam_dhkeys.so.1
> rlogin auth required pam_unix_cred.so.1
> rlogin auth required pam_unix_auth.so.1
> #
> # Kerberized rlogin service
> #
> krlogin auth required pam_unix_cred.so.1
> krlogin auth binding pam_krb5.so.1
> krlogin auth required pam_unix_auth.so.1
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> rsh auth sufficient pam_rhosts_auth.so.1
> rsh auth required pam_unix_cred.so.1
> #
> # Kerberized rsh service
> #
> krsh auth required pam_unix_cred.so.1
> krsh auth binding pam_krb5.so.1
> krsh auth required pam_unix_auth.so.1
> #
> # Kerberized telnet service
> #
> ktelnet auth required pam_unix_cred.so.1
> ktelnet auth binding pam_krb5.so.1
> ktelnet auth required pam_unix_auth.so.1
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> ppp auth requisite pam_authtok_get.so.1
> ppp auth required pam_dhkeys.so.1
> ppp auth required pam_unix_cred.so.1
> ppp auth required pam_unix_auth.so.1
> ppp auth required pam_dial_auth.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth required pam_unix_auth.so.1
> #
> # passwd command (explicit because of a different authentication
> module)
> #
> passwd auth required pam_passwd_auth.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron account required pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account
> management
> #
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session
> management
> #
> other session required pam_unix_session.so.1
> #
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for password
> management
> #
> other password required pam_dhkeys.so.1
> other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1
> # other auth sufficient pam_krb5.so use_first_pass
> other password required pam_authtok_store.so.1
>
>
> Any helps are appreciated.
> Thanks,
> -Chris
>
>
>
>
> ---------------------------------
> Sponsored Link
>
> Talk more and pay less. Vonage can save you up to $300 a year on your phone bill. Sign up now.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the Kerberos
mailing list