Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3

Douglas E. Engert deengert at anl.gov
Wed Sep 10 10:28:21 EDT 2008



Chavez, James R. wrote:
> Hello,
> Please point me to the correct list if this is wrong.
> I was having an issue compiling samba3.2.3 on my Solaris 10 box. It
> would not compile with the native Solaris 10 Kerberos libraries. I
> installed MIT Kerberos 1.6.3 from source and was able to successfully
> install Samba by pointing it to the MIT libraries. 
> Prior to installing MIT 1.6.3 Kerberos, I was getting debug information
> from pam_krb5.so.1. Since the installation however I get nothing. I get
> nothing in the messages log concerning the failed kerberos login
> attempts nor for successful. Is there something I can do to get pam_krb5
> to log messages again? Something perhaps I forgot to do after installing
> the MIT version. As I understand it, Solaris 10 Kerberos is based on MIT
> Kerberos. The way I was getting debug info from pam_krb5.so.1 previously
> was by appending debug to the lines in pam.conf. Does installing the MIT
> version of Kerberos change the way pam_krb5 logs debug output? Perhaps
> in the app_defaults section in the krb5.conf file?

When you say pam_krb5 fails, is it failing for the normal login
without any samba involved, or only when a samba program is calling
pam which calls pam_krb5?

Is this the Solaris provided pam_krb5, or did you build an open source
version?

Did you replace any of the /usr/lib/krb5 libs?

It could be a problem of the samba program loading the MIT libs, and
the pam_krb5 loading /usr/lib/krb5/libkadm5clnt.so.1 and
/usr/lib/gss/mech_krb5.so.1. There have duplicate routine
names. The pam_krb5 may be calling the MIT versions of these
routines and failing.

If you can run the program under truss you can see what libs are loaded,
and maybe where the pam_krb5 is failing.


> 
> Thanks
> James
> 
> pam.conf
> -----------------------
> #login
> login     auth requisite          pam_authtok_get.so.1
> login     auth required           pam_dhkeys.so.1
> login     auth sufficient         pam_krb5.so.1 debug
> login     auth required           pam_unix_auth.so.1
> login     account optional        pam_krb5.so.1 debug
> login     session required        pam_unix_session.so.1
> login     session optional        pam_krb5.so.1 debug
> login     password optional       pam_krb5.so.1 debug
> 
> 
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list