pam-krb5 3.0 - krb5_get_init_creds_password: Unknown code 9

Workman, Joe Joe.Workman at PacifiCorp.com
Tue Jan 2 14:13:40 EST 2007 

Here is a summary of my environment:
 
Solaris 9
MIT Kerberos 5 v1.5.1
pam-krb5 v3.0
 
pam.conf config: (for application ovo)
 
ovo auth    sufficient  pam_unix.so.1
ovo auth    required   /usr/local/lib/security/pam_krb5.so

The configuration above work fabulous as long as the user types his/her
password properly. I woudl ultimately love to have the kerberos auth
come first. But when I have this configuration I can not log in with any
accoutn that is not in Kerberos. (I get the same error as the first one
below) Here are the conditions:
 
Local unix account (local password correct) - Works
Local account also in Kerberos (Kerberos password correct) - Works
Kerberos account but not local (Kerberos password correct) - Works
Local unix account not in Kerberos (local password wrong) - Bombs
 
[ID 584047 user.debug] (pam_krb5): opc_adm:
krb5_get_init_creds_password: Client not found in Kerberos database
[ID 584047 user.debug] (pam_krb5): opc_adm:
krb5_get_init_creds_password: Unknown code 13
[ID 584047 user.debug] (pam_krb5): opc_adm:
krb5_get_init_creds_password: Unknown code 9

The "Unkown code 9" error continues to log to syslog until the
initiating process is killed. 
 
Local account also in Kerberos (both local & Kerberos password wrong) -
Bombs
 
[ID 584047 user.debug] (pam_krb5): p19553: krb5_get_init_creds_password:
Preauthentication failed
[ID 584047 user.debug] (pam_krb5): p19553: krb5_get_init_creds_password:
Unknown code 9

The "Unkown code 9" error continues to log to syslog until the
initiating process is killed. 
 
Kerberos account but not local (Kerberos password wrong) - Bombs
 
[ID 584047 user.debug] (pam_krb5): p19553: krb5_get_init_creds_password:
Preauthentication failed
[ID 584047 user.debug] (pam_krb5): p19553: krb5_get_init_creds_password:
Unknown code 9

 
The "Unkown code 9" error continues to log to syslog until the
initiating process is killed. 
 
I really appreciate any help, I feel that I am missing something
elementary becase this seems like a pretty common situation.
 
Cheers
Joe

------------------------------------------------------------------------------

This email is confidential and may be legally privileged.

It is intended solely for the addressee. Access to this email by anyone else, unless expressly approved by the sender or an authorized addressee, is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution or any action omitted or taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender, delete this e-mail and destroy all copies.

==============================================================================

More information about the Kerberos mailing list