On Tue, Nov 07, 2006 at 02:10:20PM -0800, Chris cc wrote: > Hi Guru, > > I just finish setting up a kerberos authentication; however, I seem to > have a problem to get my initial credential to work. I follow the > step-by-step procedure in the url below & it still doesn't work. > According to the error msg, it looks like my pam.conf & krb5.conf files > don't configure correctly. > > Could someone please take a look at my pam.conf & krb5.conf files & > tell me which parameters should be removed or if you have good pam.conf > & krb.conf file & don't mind to share w/ me, please share w/ me? > > I'd like my AD users to be able to telnet into a solaris box using > their existing AD login name & password as well. Any ideas which > parameter in pam.conf file do I have to add it?
What version of Solaris? Realize that Solaris Kerberos prior to Solaris 10 does not support TCP which the AD may use in certain situations. I know in Solaris 10 this should work in pam.conf: # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth binding pam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1 See the examples section of 'man pam_krb5' for more. Also look at verify_ap_req_nofail in 'man krb5.conf'. > http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx > > # getent passwd > test01:x:65535:101::/export/home/test01:/sbin/sh > > # kinit > Kinit (v5): can not contact any KDC for requested realm while getting > initial credentials. > > # tail -f /var/adm/messages > ... > dtsession [] PAM_KRB5 (sectcred): pam_setcred failed for root (can not > retrieve user credentials). > > Here is my krb5.conf file: > > [libdefaults] > default_realm = WHATEVER.COM > dns_lookup_realm = false > dns_lookup_kdc = true Do you want to locate the KDC via the DNS servers? Is so, why specify in the realm section below? > default_tkt_enctypes = des-cbc-md5 des-cbc-crc > default_tgs_enctypes = des-cbc-md5 des-cbc-crc > > [realms] > WHATEVER.COM = { > kdc = dc1.whatever.com Can you ping the KDC? > admin_server = dc1.example.com > kpasswd_protocol = SET_CHANGE > default_domain = whatever.com > } > > [domain_realm] > *.whatever.com = WHATEVER.COM > .whatever.com = WHATEVER.COM .whatever.com = WHATEVER.COM whatever.com = WHATEVER.COM is better. > [logging] > default = FILE:/var/krb5/kdc.log > kdc = FILE:/var/krb5/kdc.log > kdc_rotate = { > period = 1d > version = 10 > } > > [appdefaults] > kinit = { > renewable = true > forwardable= true > } > > > Here is my pam.conf: > > # login service (explicit because of pam_dial_auth) > # > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > # login auth sufficient pam_krb5.so use_first_pass > login auth required pam_unix_cred.so.1 > login auth required pam_unix_auth.so.1 > login auth required pam_dial_auth.so.1 > # > # > # dtlogin (explicit to allow for separate control during > # testing) > # > dtlogin auth requisite pam_authtok_get.so.1 > dtlogin auth required pam_unix_auth.so.1 > # > # > # su (explicit to provide failsafe root access during testing) > # > su auth requisite pam_authtok_get.so.1 > su auth required pam_unix_auth.so.1 > # > # rlogin service (explicit because of pam_rhost_auth) > # > rlogin auth sufficient pam_rhosts_auth.so.1 > rlogin auth requisite pam_authtok_get.so.1 > rlogin auth required pam_dhkeys.so.1 > rlogin auth required pam_unix_cred.so.1 > rlogin auth required pam_unix_auth.so.1 > # > # Kerberized rlogin service > # > krlogin auth required pam_unix_cred.so.1 > krlogin auth binding pam_krb5.so.1 > krlogin auth required pam_unix_auth.so.1 > # > # rsh service (explicit because of pam_rhost_auth, > # and pam_unix_auth for meaningful pam_setcred) > # > rsh auth sufficient pam_rhosts_auth.so.1 > rsh auth required pam_unix_cred.so.1 > # > # Kerberized rsh service > # > krsh auth required pam_unix_cred.so.1 > krsh auth binding pam_krb5.so.1 > krsh auth required pam_unix_auth.so.1 > # > # Kerberized telnet service > # > ktelnet auth required pam_unix_cred.so.1 > ktelnet auth binding pam_krb5.so.1 > ktelnet auth required pam_unix_auth.so.1 > # > # PPP service (explicit because of pam_dial_auth) > # > ppp auth requisite pam_authtok_get.so.1 > ppp auth required pam_dhkeys.so.1 > ppp auth required pam_unix_cred.so.1 > ppp auth required pam_unix_auth.so.1 > ppp auth required pam_dial_auth.so.1 > # > # Default definitions for Authentication management > # Used when service name is not explicitly mentioned for authentication > # > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth required pam_unix_auth.so.1 > # > # passwd command (explicit because of a different authentication > module) > # > passwd auth required pam_passwd_auth.so.1 > # > # cron service (explicit because of non-usage of pam_roles.so.1) > # > cron account required pam_unix_account.so.1 > # > # Default definition for Account management > # Used when service name is not explicitly mentioned for account > management > # > other account requisite pam_roles.so.1 > other account required pam_unix_account.so.1 > # > # Default definition for Session management > # Used when service name is not explicitly mentioned for session > management > # > other session required pam_unix_session.so.1 > # > # Default definition for Password management > # Used when service name is not explicitly mentioned for password > management > # > other password required pam_dhkeys.so.1 > other password requisite pam_authtok_get.so.1 > other password requisite pam_authtok_check.so.1 > # other auth sufficient pam_krb5.so use_first_pass > other password required pam_authtok_store.so.1 > > > Any helps are appreciated. > Thanks, > -Chris > > > > > --------------------------------- > Sponsored Link > > Talk more and pay less. Vonage can save you up to $300 a year on your phone > bill. Sign up now. > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
