Solaris 8 Kerberos / Ldap Client Setup
Matthew.GARRETT@external.total.com
Matthew.GARRETT at external.total.com
Fri May 15 04:17:42 EDT 2009
"Douglas E. Engert" <deengert at anl.gov> wrote on 14/05/2009 20:13:25:
>
> Matthew.GARRETT at external.total.com wrote:
> > Folks
> >
> > I am trying to setup a Solaris 8 client to talk to Kerberos / Ldap
instead
> > of using NIS
> >
> > Ldap works fine e.g getent passwd
> > Displays the LDAP Pasword entries
> >
> > Kerberos:
> > Doing a kinit USERNAME , works fine if I am logged on to the console
as
> > root user
> > So would seem that /etc/krb/krb5.conf is configured correctly.
> >
> > I have changed /etc/pam.conf to use krb5
> > other password sufficient /usr/lib/security/$ISA/pam_unix.so.1
> > other password required /usr/lib/security/$ISA/pam_krb5.
> so.1 use_first_pass
> > #
> >
>
Adding debug does not seem to generate aany more details.
> Try adding debug as a param on the above line.
>
> > However when I try and login as a normal user /var/adm/authlog shows
the
> > following error's
> >
> > May 14 17:20:48 bruce PAM: [ID 702575 auth.debug] pam_start(telnet ) -
> > debug = 1
>
> First of all you should not use telnet, as the password maybe sent over
> the network in the clear. Consider using ssh.
Normaly we do use ssh but for testing turned on telnet
In case ssh was causing problems.
> > No account present for user
>
> This says it can not find the account, so there is some issue with
> the user account or the nsswitch.conf finding ldap, or how telnet is
> passing in the username.
>
>
> add debug options to the pam.conf entries.
>
> We don't have any Solaris 8 anymore but when we did, we did not use the
> Sun version of Kerberos or pam_krb5. We have uses MIT Kerberos and
various
> pam_krb5 modules. (On Solaris 10 the Sun Kerberos, ssh and pam_krb5
> work well.)
>
Now that bit is intersting , maybe Solaris 8 stock version of Kerberos is
broken.
I will download the latest version and see if that makes any differance.
Matt
Registered in England and Wales No.811900
Registered Office 33 Cavendish Square, London W1G 0PW
This e-mail and any attachments are intended only for the person or entity
to whom it is addressed and may contain confidential or privileged
information. If you are not the addressee, any disclosure, reproduction,
copying, distribution, or use of this communication is strictly prohibited.
If you are not the intended recipient or person responsible for delivering
this message to the named addressee, please notify us immediately and delete
this e-mail.
It is the responsibility of the addressee to scan this email and any
attachments for computer viruses or other defects. The sender does not
accept liability for any loss or damage of any nature, however caused,
which may result directly or indirectly from this email or any file attached.
More information about the Kerberos
mailing list