I don't thing your problem is Kerberos, but rather nss and pam finding the account. Could also be telnet issues too.
[email protected] wrote: > "Douglas E. Engert" <[email protected]> wrote on 14/05/2009 20:13:25: > >> [email protected] wrote: >>> Folks >>> >>> I am trying to setup a Solaris 8 client to talk to Kerberos / Ldap > instead >>> of using NIS >>> >>> Ldap works fine e.g getent passwd >>> Displays the LDAP Pasword entries >>> >>> Kerberos: >>> Doing a kinit USERNAME , works fine if I am logged on to the console > as >>> root user >>> So would seem that /etc/krb/krb5.conf is configured correctly. >>> >>> I have changed /etc/pam.conf to use krb5 >>> other password sufficient /usr/lib/security/$ISA/pam_unix.so.1 >>> other password required /usr/lib/security/$ISA/pam_krb5. >> so.1 use_first_pass >>> # >>> > Adding debug does not seem to generate aany more details. > >> Try adding debug as a param on the above line. >> >>> However when I try and login as a normal user /var/adm/authlog shows > the >>> following error's >>> >>> May 14 17:20:48 bruce PAM: [ID 702575 auth.debug] pam_start(telnet ) - > >>> debug = 1 >> First of all you should not use telnet, as the password maybe sent over >> the network in the clear. Consider using ssh. > > Normaly we do use ssh but for testing turned on telnet > In case ssh was causing problems. > >>> No account present for user >> This says it can not find the account, so there is some issue with >> the user account or the nsswitch.conf finding ldap, or how telnet is >> passing in the username. >> > >> add debug options to the pam.conf entries. >> >> We don't have any Solaris 8 anymore but when we did, we did not use the >> Sun version of Kerberos or pam_krb5. We have uses MIT Kerberos and > various >> pam_krb5 modules. (On Solaris 10 the Sun Kerberos, ssh and pam_krb5 >> work well.) >> > Now that bit is intersting , maybe Solaris 8 stock version of Kerberos is > broken. > I will download the latest version and see if that makes any differance. The Solaris 8 Kerberos may work fine in your situation. We where running Kerberos long before Sun implemented it. Sun did not expose the API in 8 and 9. We also use Windows AD as the KDC, which if I recall had issues. So we kept running the MIT versions on 8 and 9. > > Matt > > > Registered in England and Wales No.811900 > Registered Office 33 Cavendish Square, London W1G 0PW > This e-mail and any attachments are intended only for the person or entity > to whom it is addressed and may contain confidential or privileged > information. If you are not the addressee, any disclosure, reproduction, > copying, distribution, or use of this communication is strictly prohibited. > If you are not the intended recipient or person responsible for delivering > this message to the named addressee, please notify us immediately and delete > this e-mail. > It is the responsibility of the addressee to scan this email and any > attachments for computer viruses or other defects. The sender does not > accept liability for any loss or damage of any nature, however caused, > which may result directly or indirectly from this email or any file attached. > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
