Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3
Chavez, James R.
james.chavez at sanmina-sci.com
Wed Sep 10 13:05:37 EDT 2008
Doug, Thanks for the reply.
I am actually using kerberos for authenticating logins through ssh.
Because I had no DNS entry for this Solaris box I was getting the
following debug output from pam_krb5.
Aug 26 10:24:21 solaris1.example.com sshd[1147]: [ID 537602 auth.error]
PAM-KRB5 (auth): krb5_verify_init_creds failed:
Hostname cannot be canonicalized.
This is indicative of DNS issues according to the Solaris Kerberos
Commom errors guide.
The The Windows team controls DNS and I am not on the Windows team. A
work around for me was to use Samba's net utility However Solaris 10's
version was not built with the proper flag to allow this. So I needed to
upgrade Samba to accomplish this. The Samba configure script was bombing
looking for krb5 libs, so I installed MIT and pointed it there.
Since I upgraded Samba and added the DNS entry I can successfully login
using kerberos creds with pam_krb5, however now the debug output is no
longer visible. Could be that everything is working flawlwessly but the
debug flag should still populate the messages log with pam_krb5 entries
regardless of success or failure I would think. At least with Linux this
is true.
To answer your questions.
When you say pam_krb5 fails, is it failing for the normal login without
any samba involved, or only when a samba program is calling pam which
calls pam_krb5?
--This is during a normal login with no Samba involved. I am looking for
verbose output for success or failure.
Is this the Solaris provided pam_krb5, or did you build an open source
version?
--This is the Solaris version of pam_krb5.
Did you replace any of the /usr/lib/krb5 libs?
--The /usr/lib/krb5 libs should be intact, I installed the MIT stuff
into /usr/local, the default.
ldd /usr/lib/security/pam_krb5.so.1
libkadm5clnt.so.1 => /usr/lib/krb5/libkadm5clnt.so.1
mech_krb5.so.1 => /usr/lib/gss/mech_krb5.so.1
libpam.so.1 => /lib/libpam.so.1
libnsl.so.1 => /lib/libnsl.so.1
libc.so.1 => /lib/libc.so.1
libgss.so.1 => /usr/lib/libgss.so.1
libsocket.so.1 => /lib/libsocket.so.1
libresolv.so.2 => /lib/libresolv.so.2
libpkcs11.so.1 => /usr/lib/libpkcs11.so.1
libcmd.so.1 => /lib/libcmd.so.1
libmp.so.2 => /lib/libmp.so.2
libmd.so.1 => /lib/libmd.so.1
libscf.so.1 => /lib/libscf.so.1
libcryptoutil.so.1 => /usr/lib/libcryptoutil.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libgen.so.1 => /lib/libgen.so.1
libm.so.2 => /lib/libm.so.2
/platform/SUNW,Ultra-60/lib/libc_psr.so.1
/platform/SUNW,Ultra-60/lib/libmd_psr.so.1
I ran a truss of klist and kinit and everything seems to be normal. I
would not know how to directly invoke a truss of pam_krb5 however.
Well at least kerberos is authenticating..Would be nice to see some
debug though. Perhaps I can reinstall or freshen the pam_krb5 on my
Solaris box? I will have to look into that.
Thank you
James
-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov]
Sent: Wednesday, September 10, 2008 7:28 AM
To: Chavez, James R.
Cc: kerberos at mit.edu
Subject: Re: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3
Chavez, James R. wrote:
> Hello,
> Please point me to the correct list if this is wrong.
> I was having an issue compiling samba3.2.3 on my Solaris 10 box. It
> would not compile with the native Solaris 10 Kerberos libraries. I
> installed MIT Kerberos 1.6.3 from source and was able to successfully
> install Samba by pointing it to the MIT libraries.
> Prior to installing MIT 1.6.3 Kerberos, I was getting debug
> information from pam_krb5.so.1. Since the installation however I get
> nothing. I get nothing in the messages log concerning the failed
> kerberos login attempts nor for successful. Is there something I can
> do to get pam_krb5 to log messages again? Something perhaps I forgot
> to do after installing the MIT version. As I understand it, Solaris 10
> Kerberos is based on MIT Kerberos. The way I was getting debug info
> from pam_krb5.so.1 previously was by appending debug to the lines in
> pam.conf. Does installing the MIT version of Kerberos change the way
> pam_krb5 logs debug output? Perhaps in the app_defaults section in the
krb5.conf file?
When you say pam_krb5 fails, is it failing for the normal login without
any samba involved, or only when a samba program is calling pam which
calls pam_krb5?
Is this the Solaris provided pam_krb5, or did you build an open source
version?
Did you replace any of the /usr/lib/krb5 libs?
It could be a problem of the samba program loading the MIT libs, and the
pam_krb5 loading /usr/lib/krb5/libkadm5clnt.so.1 and
/usr/lib/gss/mech_krb5.so.1. There have duplicate routine names. The
pam_krb5 may be calling the MIT versions of these routines and failing.
If you can run the program under truss you can see what libs are loaded,
and maybe where the pam_krb5 is failing.
>
> Thanks
> James
>
> pam.conf
> -----------------------
> #login
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth sufficient pam_krb5.so.1 debug
> login auth required pam_unix_auth.so.1
> login account optional pam_krb5.so.1 debug
> login session required pam_unix_session.so.1
> login session optional pam_krb5.so.1 debug
> login password optional pam_krb5.so.1 debug
>
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for
use by the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail message, you are hereby notified that any dissemination,
distribution or copying of this e-mail message, and any attachments
thereto, is strictly prohibited. If you have received this e-mail
message in error, please immediately notify the sender and permanently
delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL
IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the
Uniform Electronic Transactions Act or the applicability of any other
law of similar substance and effect, absent an express statement to the
contrary hereinabove, this e-mail message its contents, and any
attachments hereto are not intended to represent an offer or acceptance
to enter into a contract and are not otherwise intended to bind the
sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
More information about the Kerberos
mailing list