Solaris 8 Kerberos / Ldap Client Setup

Matthew.GARRETT@external.total.com Matthew.GARRETT at external.total.com
Thu May 14 12:23:53 EDT 2009 

Folks 

I am trying to setup a Solaris 8 client to talk to Kerberos / Ldap instead 
of using NIS 

Ldap works fine e.g getent passwd 
Displays the LDAP Pasword entries 

Kerberos: 
Doing a kinit USERNAME , works fine if I am logged on to the console as 
root user 
So would seem that /etc/krb/krb5.conf is configured correctly. 

I have changed /etc/pam.conf to use krb5 
e.g 
# PAM configuration 
# 
# This file is configured to try pam_unix first, then pam_krb5 
# 
# Authentication management 
# 
other   auth sufficient /usr/lib/security/$ISA/pam_unix.so.1 
other   auth required   /usr/lib/security/$ISA/pam_krb5.so.1 
use_first_pass 
# 
# Account management 
# 
# pam_krb5 has a no-op account module, so we don't bother listing it here 
# 
other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1 
other   account required        /usr/lib/security/$ISA/pam_projects.so.1 
other   account required        /usr/lib/security/$ISA/pam_unix.so.1 
# 
# Session management 
# 
# pam_krb5 destroys any credential cache on session close, so it's good 
# to have it here.  However, we also need pam_unix to be called, so don't 
# make pam_krb5 "sufficient". 
# 
other   session optional        /usr/lib/security/$ISA/pam_krb5.so.1 
other   session required        /usr/lib/security/$ISA/pam_unix.so.1 
# 
# Password management 
# 
# You may have to fiddle with this if you have other account databases. 
# If you have some centralized user management tool that users use to 
# change their password then you may just want to remove the pam_krb5 
# here. 
# 
other   password sufficient     /usr/lib/security/$ISA/pam_unix.so.1 
other   password required       /usr/lib/security/$ISA/pam_krb5.so.1 
use_first_pass 
# 

However when I try and login as a normal user /var/adm/authlog shows the 
following error's 

May 14 17:20:48 bruce PAM: [ID 702575 auth.debug] pam_start(telnet ) - 
debug = 1
May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(1)
May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(2)
May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(5)
May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(3)
May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(4)
May 14 17:20:48 bruce login: [ID 859314 auth.debug] pam_set_item(9)
May 14 17:20:48 bruce login: [ID 207130 auth.debug] pam_authenticate()
May 14 17:20:48 bruce login: [ID 305314 auth.debug] load_modules: 
/usr/lib/security/pam_unix.so.1
May 14 17:20:48 bruce login: [ID 265225 auth.debug] load_function: 
successful load of pam_sm_authenticate
May 14 17:20:48 bruce login: [ID 305314 auth.debug] load_modules: 
/usr/lib/security/pam_krb5.so.1
May 14 17:20:48 bruce login: [ID 265225 auth.debug] load_function: 
successful load of pam_sm_authenticate
May 14 17:20:53 bruce login: [ID 859314 auth.debug] pam_set_item(2)
May 14 17:20:53 bruce login: [ID 976026 auth.warning] Unknown keyword 
encountered 'AP_BIND_TIME'. (at or near line 0).
May 14 17:20:55 bruce login: [ID 859314 auth.debug] pam_set_item(6)
May 14 17:20:55 bruce login: [ID 427203 auth.debug] pam_authenticate: 
error Authentication failed
May 14 17:20:55 bruce login: [ID 859314 auth.debug] pam_set_item(6)
May 14 17:20:55 bruce login: [ID 997726 auth.debug] pam_acct_mgmt()
May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules: 
/usr/lib/security/pam_roles.so.1
May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function: 
successful load of pam_sm_acct_mgmt
May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules: 
/usr/lib/security/pam_projects.so.1
May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function: 
successful load of pam_sm_acct_mgmt
May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules: 
/usr/lib/security/pam_unix.so.1
May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function: 
successful load of pam_sm_acct_mgmt
May 14 17:20:55 bruce login: [ID 308033 auth.debug] pam_acct_mgmt: error 
No account present for user
May 14 17:20:55 bruce login: [ID 468494 auth.crit] login account failure: 
No account present for user
May 14 17:20:55 bruce login: [ID 690057 auth.debug] pam_end(): status = 
General PAM failure
May 14 17:20:55 bruce PAM: [ID 702575 auth.debug] pam_start(telnet 
.telnet) - debug = 1
May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(1)
May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(2)
May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(5)
May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(3)
May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(4)
May 14 17:20:55 bruce PAM: [ID 924963 auth.debug] pam_close_session()
May 14 17:20:55 bruce PAM: [ID 305314 auth.debug] load_modules: 
/usr/lib/security/pam_krb5.so.1
May 14 17:20:55 bruce PAM: [ID 265225 auth.debug] load_function: 
successful load of pam_sm_close_session
May 14 17:20:55 bruce PAM: [ID 305314 auth.debug] load_modules: 
/usr/lib/security/pam_unix.so.1
May 14 17:20:55 bruce PAM: [ID 265225 auth.debug] load_function: 
successful load of pam_sm_close_session
May 14 17:20:55 bruce PAM: [ID 976026 auth.warning] Unknown keyword 
encountered 'AP_BIND_TIME'. (at or near line 0).
May 14 17:20:55 bruce PAM: [ID 599088 auth.debug] pam_close_session: error 
Authentication token manipulation error
May 14 17:20:55 bruce PAM: [ID 690057 auth.debug] pam_end(): status = 
Success

I am guessing that this is somthing to do with the message
 Unknown keyword encountered 'AP_BIND_TIME'. (at or near line 0).

But I have no idea how this is been generated.
Note Kerberos / Ldap works fine on the RedHat Clients that I have all so 
setup.

Can any body sugest what I am doing wrong. 

Thanks 

Matthew 



 

 
Matthew Garrett
Senior IS Technical Analyst
Tel:       01224 297889
Fax:      01224 296806
Email:   Matthew.Garrett at total.com
Total E&P UK, Crawpeel Road, Altens Industrial Estate, Aberdeen AB12 3FG
Registered in England and Wales No.811900          
Registered Office 33 Cavendish Square, London W1G 0PW
This e-mail and any attachments are intended only for the person or entity
to whom it is addressed and may contain confidential or privileged
information.  If you are not the addressee, any disclosure, reproduction,
copying, distribution, or use of this communication is strictly prohibited.
If you are not the intended recipient or person responsible for delivering
this message to the named addressee, please notify us immediately and delete
this e-mail.
It is the responsibility of the addressee to scan this email and any
attachments for computer viruses or other defects.  The sender does not
accept liability for any loss or damage of any nature, however caused,
which may result directly or indirectly from this email or any file attached.

More information about the Kerberos mailing list