Solaris 8 Kerberos / Ldap Client Setup
Douglas E. Engert
deengert at anl.gov
Thu May 14 15:13:25 EDT 2009
Matthew.GARRETT at external.total.com wrote:
> Folks
>
> I am trying to setup a Solaris 8 client to talk to Kerberos / Ldap instead
> of using NIS
>
> Ldap works fine e.g getent passwd
> Displays the LDAP Pasword entries
>
> Kerberos:
> Doing a kinit USERNAME , works fine if I am logged on to the console as
> root user
> So would seem that /etc/krb/krb5.conf is configured correctly.
>
> I have changed /etc/pam.conf to use krb5
> e.g
> # PAM configuration
> #
> # This file is configured to try pam_unix first, then pam_krb5
> #
> # Authentication management
> #
> other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
> other auth required /usr/lib/security/$ISA/pam_krb5.so.1
> use_first_pass
> #
> # Account management
> #
> # pam_krb5 has a no-op account module, so we don't bother listing it here
> #
> other account requisite /usr/lib/security/$ISA/pam_roles.so.1
> other account required /usr/lib/security/$ISA/pam_projects.so.1
> other account required /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Session management
> #
> # pam_krb5 destroys any credential cache on session close, so it's good
> # to have it here. However, we also need pam_unix to be called, so don't
> # make pam_krb5 "sufficient".
> #
> other session optional /usr/lib/security/$ISA/pam_krb5.so.1
> other session required /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Password management
> #
> # You may have to fiddle with this if you have other account databases.
> # If you have some centralized user management tool that users use to
> # change their password then you may just want to remove the pam_krb5
> # here.
> #
> other password sufficient /usr/lib/security/$ISA/pam_unix.so.1
> other password required /usr/lib/security/$ISA/pam_krb5.so.1 use_first_pass
> #
>
Try adding debug as a param on the above line.
> However when I try and login as a normal user /var/adm/authlog shows the
> following error's
>
> May 14 17:20:48 bruce PAM: [ID 702575 auth.debug] pam_start(telnet ) -
> debug = 1
First of all you should not use telnet, as the password maybe sent over
the network in the clear. Consider using ssh.
> May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(1)
> May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(2)
> May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(5)
> May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(3)
> May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(4)
> May 14 17:20:48 bruce login: [ID 859314 auth.debug] pam_set_item(9)
> May 14 17:20:48 bruce login: [ID 207130 auth.debug] pam_authenticate()
> May 14 17:20:48 bruce login: [ID 305314 auth.debug] load_modules:
> /usr/lib/security/pam_unix.so.1
> May 14 17:20:48 bruce login: [ID 265225 auth.debug] load_function:
> successful load of pam_sm_authenticate
> May 14 17:20:48 bruce login: [ID 305314 auth.debug] load_modules:
> /usr/lib/security/pam_krb5.so.1
> May 14 17:20:48 bruce login: [ID 265225 auth.debug] load_function:
> successful load of pam_sm_authenticate
> May 14 17:20:53 bruce login: [ID 859314 auth.debug] pam_set_item(2)
> May 14 17:20:53 bruce login: [ID 976026 auth.warning] Unknown keyword
> encountered 'AP_BIND_TIME'. (at or near line 0).
> May 14 17:20:55 bruce login: [ID 859314 auth.debug] pam_set_item(6)
> May 14 17:20:55 bruce login: [ID 427203 auth.debug] pam_authenticate:
> error Authentication failed
> May 14 17:20:55 bruce login: [ID 859314 auth.debug] pam_set_item(6)
> May 14 17:20:55 bruce login: [ID 997726 auth.debug] pam_acct_mgmt()
> May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules:
> /usr/lib/security/pam_roles.so.1
> May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function:
> successful load of pam_sm_acct_mgmt
> May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules:
> /usr/lib/security/pam_projects.so.1
> May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function:
> successful load of pam_sm_acct_mgmt
> May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules:
> /usr/lib/security/pam_unix.so.1
> May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function:
> successful load of pam_sm_acct_mgmt
> May 14 17:20:55 bruce login: [ID 308033 auth.debug] pam_acct_mgmt: error
> No account present for user
> May 14 17:20:55 bruce login: [ID 468494 auth.crit] login account failure:
> No account present for user
This says it can not find the account, so there is some issue with
the user account or the nsswitch.conf finding ldap, or how telnet is
passing in the username.
> May 14 17:20:55 bruce login: [ID 690057 auth.debug] pam_end(): status =
> General PAM failure
The rest of this looks like it is in the close session after the above failure.
> May 14 17:20:55 bruce PAM: [ID 702575 auth.debug] pam_start(telnet
> .telnet) - debug = 1
> May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(1)
> May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(2)
> May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(5)
> May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(3)
> May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(4)
> May 14 17:20:55 bruce PAM: [ID 924963 auth.debug] pam_close_session()
> May 14 17:20:55 bruce PAM: [ID 305314 auth.debug] load_modules:
> /usr/lib/security/pam_krb5.so.1
> May 14 17:20:55 bruce PAM: [ID 265225 auth.debug] load_function:
> successful load of pam_sm_close_session
> May 14 17:20:55 bruce PAM: [ID 305314 auth.debug] load_modules:
> /usr/lib/security/pam_unix.so.1
> May 14 17:20:55 bruce PAM: [ID 265225 auth.debug] load_function:
> successful load of pam_sm_close_session
> May 14 17:20:55 bruce PAM: [ID 976026 auth.warning] Unknown keyword
> encountered 'AP_BIND_TIME'. (at or near line 0).
> May 14 17:20:55 bruce PAM: [ID 599088 auth.debug] pam_close_session: error
> Authentication token manipulation error
> May 14 17:20:55 bruce PAM: [ID 690057 auth.debug] pam_end(): status =
> Success
>
> I am guessing that this is somthing to do with the message
> Unknown keyword encountered 'AP_BIND_TIME'. (at or near line 0).
>
> But I have no idea how this is been generated.
> Note Kerberos / Ldap works fine on the RedHat Clients that I have all so
> setup.
>
> Can any body sugest what I am doing wrong.
add debug options to the pam.conf entries.
We don't have any Solaris 8 anymore but when we did, we did not use the
Sun version of Kerberos or pam_krb5. We have uses MIT Kerberos and various
pam_krb5 modules. (On Solaris 10 the Sun Kerberos, ssh and pam_krb5 work well.)
>
> Thanks
>
> Matthew
>
>
>
>
>
>
> Matthew Garrett
> Senior IS Technical Analyst
> Tel: 01224 297889
> Fax: 01224 296806
> Email: Matthew.Garrett at total.com
> Total E&P UK, Crawpeel Road, Altens Industrial Estate, Aberdeen AB12 3FG
> Registered in England and Wales No.811900
> Registered Office 33 Cavendish Square, London W1G 0PW
> This e-mail and any attachments are intended only for the person or entity
> to whom it is addressed and may contain confidential or privileged
> information. If you are not the addressee, any disclosure, reproduction,
> copying, distribution, or use of this communication is strictly prohibited.
> If you are not the intended recipient or person responsible for delivering
> this message to the named addressee, please notify us immediately and delete
> this e-mail.
> It is the responsibility of the addressee to scan this email and any
> attachments for computer viruses or other defects. The sender does not
> accept liability for any loss or damage of any nature, however caused,
> which may result directly or indirectly from this email or any file attached.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list