On Jul 26, 2004, at 9:00 AM, [EMAIL PROTECTED] wrote:
------------------------------------------------------------------------ ----Date: Mon, 26 Jul 2004 09:55:02 -0400 From: "Eliot Lebsack" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Solaris pam-krb5 client and MIT krb5 KDC on Linux Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Precedence: list Message: 1
Good morning.
I've set up a KDC on a RHEL 3 box with NIS as the name service. All of my Linux boxes have no problem authenticating against this configuration.
When I attempted to migrate my Solaris 8 (2/02) Ultra 80 to this authentication/name service combination, using the on-board (non-SEAM) kerberos authentication tools which are run when reconfiguring a system (running sys-unconfig, then rebooting), I entered the fields for Kerberos as those used by my Linux machines.
I went ahead and synced up my /etc/krb5/krb5.conf file with that used by the Linux clients. I uncommented the pam.conf lines for the pam_krb5.so.1 module as directed by the documention I could find on the web. I've even generated a keytab for the host principle, and moved it into /etc/krb5/krb5.keytab.
I've checked my DNS setup as well as NTP. Everything looks good.
When I attempt to log onto the Solaris 8 machine as a regular
user, forcing the machine to refer to NIS/Kerberos for more information,
the pam_krb5 authentication module refuses to allow access.
When I "su -" to the user from root, and do a kinit as the user, it successfully gets the Kerberos ticket.
It appears that pam_krb5 is not entering the authentication process correctly, or that it is not negotiating with the KDC correctly.
Has anyone else tried a similar configuration? I'm trying to do something real basic here; no kerberized NFS or anything like that.
I also tried installing SEAM for Solaris 8, and still had the same problem.
Regards,
Eliot
====================================================== Eliot Lebsack (781) 271-5830 Lead Communications Engineer The MITRE Corporation Bedford, MA
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos