2) Can the user (once kinit'ed) get a host service ticket? (Try telnet'ing to yourself at the external network address. I think that will do it. If not you need a second machine.)
3) Does the local keytab work? (Try kinit -k as root. klist should show you are kinit'ed as host/[EMAIL PROTECTED])
4) Does the host service ticket agree with the one in the local /etc/krb5/krb5.keytab? (Not sure exactly how to check this. The Solaris ktutil doesn't show much info. Presumably if both 2 and 3 work it should be OK, but they might be different kvno's.)
Don't know if Sol 8 is completely like Sol 9, but the pam modules need the host principal to work for full functionality on 9.
Isn't there a debug option for the pam modules?
On Jul 27, 2004, at 6:29 AM, Eliot Lebsack wrote:
------------------------------------------------------------------------ ----Henry,
I checked all of the permissions, and they check out. However, this does not fix the problem.
Regards,
Eliot
====================================================== Eliot Lebsack (781) 271-5830 Lead Communications Engineer [EMAIL PROTECTED] The MITRE Corporation Bedford, MA
-----Original Message----- From: Henry B. Hotz [mailto:[EMAIL PROTECTED] Sent: Monday, July 26, 2004 6:20 PM To: Eliot Lebsack Cc: [EMAIL PROTECTED] Subject: Re: Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot Lebsack)
Right, that's the problem. You need to set -rw-r--r-- (644) for krb5.conf.
Those permissions are correct for krb5.keytab.
Both should be root owned.
On Jul 26, 2004, at 1:05 PM, Eliot Lebsack wrote:
----------------------------------------------------------------------- -Henry,
Just checked - the permissions are -rw------- (0600). Still have the same problem. The /etc/krb5/krb5.keytab file is also set with the same permissions.
Regards,
Eliot
====================================================== Eliot Lebsack (781) 271-5830 Lead Communications Engineer [EMAIL PROTECTED] The MITRE Corporation Bedford, MA
-----Original Message----- From: Henry B. Hotz [mailto:[EMAIL PROTECTED] Sent: Monday, July 26, 2004 3:17 PM To: [EMAIL PROTECTED] Cc: Eliot Lebsack Subject: Re: Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot Lebsack)
If it works as root, but not as a user, then it sounds like a permissions problem. Is /etc/krb5/krb5.conf world-readable?
On Jul 26, 2004, at 9:00 AM, [EMAIL PROTECTED] wrote:
---------------------------------------------------------------------- -Date: Mon, 26 Jul 2004 09:55:02 -0400 From: "Eliot Lebsack" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Solaris pam-krb5 client and MIT krb5 KDC on Linux Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Precedence: list Message: 1
Good morning.
I've set up a KDC on a RHEL 3 box with NIS as the name service. All of my Linux boxes have no problem authenticating against this configuration.
When I attempted to migrate my Solaris 8 (2/02) Ultra 80 to this authentication/name service combination, using the on-board (non-SEAM) kerberos authentication tools which are run when reconfiguring a system (running sys-unconfig, then rebooting), I entered the fields for Kerberos as those used by my Linux machines.
I went ahead and synced up my /etc/krb5/krb5.conf file with that used by the Linux clients. I uncommented the pam.conf lines for the pam_krb5.so.1 module as directed by the documention I could find on the web. I've even generated a keytab for the host principle, and moved it into /etc/krb5/krb5.keytab.
I've checked my DNS setup as well as NTP. Everything looks good.
When I attempt to log onto the Solaris 8 machine as a regular user, forcing the machine to refer to NIS/Kerberos for more information, the pam_krb5 authentication module refuses to allow access.
When I "su -" to the user from root, and do a kinit as the user, it successfully gets the Kerberos ticket.
It appears that pam_krb5 is not entering the authentication process correctly, or that it is not negotiating with the KDC correctly.
Has anyone else tried a similar configuration? I'm trying to
do something real basic here; no kerberized NFS or anything like that.
I also tried installing SEAM for Solaris 8, and still had the same problem.
Regards,
Eliot
====================================================== Eliot Lebsack (781) 271-5830 Lead Communications Engineer The MITRE Corporation Bedford, MA
-
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
