On Mon, 2008-03-31 at 17:28 -0400, Leopold, Corey wrote: > Hello, > > > > Iâve got CIFS working against my MS Active Directory infrastructure, > additionally I have successfully configured the LDAP client to access > the unix Active Directory attributes for UID/GID/Home Directory, which > allows me to use idmap to access the files as the same user from > Solaris or Windows without managing separate account databases. > > > > The problem Iâm having is when I used smbadm to join the domain it > apparently creates the krb5.keytab file. The keytab that gets created > does not work for enabling Active Directory authentication for > interactive logon to the machine. I have set up the pam.conf for > this, but when I attempt to log in I get this error: > > > > Mar 31 16:19:22 XXXX sshd[822]: [ID 308913 auth.error] PAM-KRB5 > (auth): krb5_verify_init_creds failed: Key table entry > "host/XXXX.XXXX.com" not found in FILE:/etc/krb5/krb5.keytab
I'm not a CIFS expert but do know something about Kerberos. In order to use pam_krb5 you need to have a host key in the keytab file. You can disable this behaviour by setting "verify_ap_req_nofail" to "false" in /etc/krb5/krb5.conf. I don't know what keys are in your keytab. In order to list the keys in the default keytab (/etc/krb5/krb5.keytab) run "klist -k" as root. You should be able to create the host principal on the Microsft AD using the "Ktpass" command. Then securely transfer the resulting keytab file over to the host and add the principal to the default keytab using the "ktutil" command. You may be also interested in the kclientv2 project - http://opensolaris.org/os/project/kerberos/current/. It's currently in code-review and will likely go into Nevada soon. If you have more kerberos questions a good place to ask is [EMAIL PROTECTED] -Mark
_______________________________________________ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
