Folks I am trying to setup a Solaris 8 client to talk to Kerberos / Ldap instead of using NIS
Ldap works fine e.g getent passwd Displays the LDAP Pasword entries Kerberos: Doing a kinit USERNAME , works fine if I am logged on to the console as root user So would seem that /etc/krb/krb5.conf is configured correctly. I have changed /etc/pam.conf to use krb5 e.g # PAM configuration # # This file is configured to try pam_unix first, then pam_krb5 # # Authentication management # other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1 other auth required /usr/lib/security/$ISA/pam_krb5.so.1 use_first_pass # # Account management # # pam_krb5 has a no-op account module, so we don't bother listing it here # other account requisite /usr/lib/security/$ISA/pam_roles.so.1 other account required /usr/lib/security/$ISA/pam_projects.so.1 other account required /usr/lib/security/$ISA/pam_unix.so.1 # # Session management # # pam_krb5 destroys any credential cache on session close, so it's good # to have it here. However, we also need pam_unix to be called, so don't # make pam_krb5 "sufficient". # other session optional /usr/lib/security/$ISA/pam_krb5.so.1 other session required /usr/lib/security/$ISA/pam_unix.so.1 # # Password management # # You may have to fiddle with this if you have other account databases. # If you have some centralized user management tool that users use to # change their password then you may just want to remove the pam_krb5 # here. # other password sufficient /usr/lib/security/$ISA/pam_unix.so.1 other password required /usr/lib/security/$ISA/pam_krb5.so.1 use_first_pass # However when I try and login as a normal user /var/adm/authlog shows the following error's May 14 17:20:48 bruce PAM: [ID 702575 auth.debug] pam_start(telnet ) - debug = 1 May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(1) May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(2) May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(5) May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(3) May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(4) May 14 17:20:48 bruce login: [ID 859314 auth.debug] pam_set_item(9) May 14 17:20:48 bruce login: [ID 207130 auth.debug] pam_authenticate() May 14 17:20:48 bruce login: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_unix.so.1 May 14 17:20:48 bruce login: [ID 265225 auth.debug] load_function: successful load of pam_sm_authenticate May 14 17:20:48 bruce login: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_krb5.so.1 May 14 17:20:48 bruce login: [ID 265225 auth.debug] load_function: successful load of pam_sm_authenticate May 14 17:20:53 bruce login: [ID 859314 auth.debug] pam_set_item(2) May 14 17:20:53 bruce login: [ID 976026 auth.warning] Unknown keyword encountered 'AP_BIND_TIME'. (at or near line 0). May 14 17:20:55 bruce login: [ID 859314 auth.debug] pam_set_item(6) May 14 17:20:55 bruce login: [ID 427203 auth.debug] pam_authenticate: error Authentication failed May 14 17:20:55 bruce login: [ID 859314 auth.debug] pam_set_item(6) May 14 17:20:55 bruce login: [ID 997726 auth.debug] pam_acct_mgmt() May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_roles.so.1 May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function: successful load of pam_sm_acct_mgmt May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_projects.so.1 May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function: successful load of pam_sm_acct_mgmt May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_unix.so.1 May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function: successful load of pam_sm_acct_mgmt May 14 17:20:55 bruce login: [ID 308033 auth.debug] pam_acct_mgmt: error No account present for user May 14 17:20:55 bruce login: [ID 468494 auth.crit] login account failure: No account present for user May 14 17:20:55 bruce login: [ID 690057 auth.debug] pam_end(): status = General PAM failure May 14 17:20:55 bruce PAM: [ID 702575 auth.debug] pam_start(telnet .telnet) - debug = 1 May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(1) May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(2) May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(5) May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(3) May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(4) May 14 17:20:55 bruce PAM: [ID 924963 auth.debug] pam_close_session() May 14 17:20:55 bruce PAM: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_krb5.so.1 May 14 17:20:55 bruce PAM: [ID 265225 auth.debug] load_function: successful load of pam_sm_close_session May 14 17:20:55 bruce PAM: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_unix.so.1 May 14 17:20:55 bruce PAM: [ID 265225 auth.debug] load_function: successful load of pam_sm_close_session May 14 17:20:55 bruce PAM: [ID 976026 auth.warning] Unknown keyword encountered 'AP_BIND_TIME'. (at or near line 0). May 14 17:20:55 bruce PAM: [ID 599088 auth.debug] pam_close_session: error Authentication token manipulation error May 14 17:20:55 bruce PAM: [ID 690057 auth.debug] pam_end(): status = Success I am guessing that this is somthing to do with the message Unknown keyword encountered 'AP_BIND_TIME'. (at or near line 0). But I have no idea how this is been generated. Note Kerberos / Ldap works fine on the RedHat Clients that I have all so setup. Can any body sugest what I am doing wrong. Thanks Matthew Matthew Garrett Senior IS Technical Analyst Tel: 01224 297889 Fax: 01224 296806 Email: [email protected] Total E&P UK, Crawpeel Road, Altens Industrial Estate, Aberdeen AB12 3FG Registered in England and Wales No.811900 Registered Office 33 Cavendish Square, London W1G 0PW This e-mail and any attachments are intended only for the person or entity to whom it is addressed and may contain confidential or privileged information. If you are not the addressee, any disclosure, reproduction, copying, distribution, or use of this communication is strictly prohibited. If you are not the intended recipient or person responsible for delivering this message to the named addressee, please notify us immediately and delete this e-mail. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
