pam_krb5 problems on Solaris 8 (repost sans MIME)

Graham Freeman Fri, 14 Sep 2001 21:03:27 -0700
Folks,

Sorry about my last post, which was MIME-encoded.  Here's a repost with
some updated information.

First, let me start by saying that I have only a working knowledge of
Solaris, Kerberos, and PAM.  I'm not a programmer, but I (mostly) know how
these things work, what they do, and how to use them.

I hope this is the right forum for these questions.  cc:ing me on your
reply would be appreciated, although I'll make an effort to check back on
this forum.

That said, I'm having trouble with two different flavours of pam_krb5 on
Solaris 8.  I hope you can help.


...With the stock Solaris 8 pam_krb5...

With the stock Solaris 8 PAM, things work better than with the fcusack
PAM.

***Using telnet***

When logging in from a Linux machine using RedHat 7.1 (with kerberos
packages) using "telnet [hostname]" I am able to log in with the correct
username and password.  I am also given a proper-looking K5 ticket, as
reported by "klist".  However, this warning appears in the log:

Sep 14 15:41:18 monster login: [ID 257133 auth.error] PAM-KRB5: no warning possible

and then, after I run "kdestroy" and logout, this message appears in the
log:

Sep 14 15:41:30 monster telnetd[13867]: [ID 390226 daemon.error] PAM-KRB5:Could not 
obtain principal name

***Using SSH***

I'm running OpenSSH 2.9p2 with the Kerberos/GSSAPI patch from the
following URL:
http://www.sxw.org.uk/computing/patches/openssh.html

It configured with --with-pam and --with-kerberos5=/usr/local and compiled
cleanly with gmake.

When I try to login from my RH Linux 7.1 box (identical OpenSSH
installation w/patch) via 'ssh -C -v -l username hostname', I can see that
it successfully verifies the password via Kerberos (and an entry for the
login appears in the 'last' log) but immediately kicks me back out without
giving me a shell.  The following two lines appear in /var/adm/messages:

Sep 14 15:21:59 monster sshd[13756]: [ID 257133 auth.error] PAM-KRB5: no warning 
possible
Sep 14 15:21:59 monster sshd[13756]: [ID 390226 auth.error] PAM-KRB5:Could not obtain 
principal name


...With http://www.fcusack.com/soft/pam_krb5-1.0.tar.gz...

***pam_krb5 compilation process***

# pwd
/var/tmp/krb/pam/pam_krb5
# vi Makefile
[edited Makefile]
# gmake
gcc -c -O2 -fPIC -I/usr/local/include pam_krb5_auth.c
pam_krb5_auth.c: In function `pam_sm_setcred':
pam_krb5_auth.c:291: warning: assignment discards qualifiers from pointer
target type
gcc -c -O2 -fPIC -I/usr/local/include pam_krb5_pass.c
gcc -c -O2 -fPIC -I/usr/local/include pam_krb5_acct.c
gcc -c -O2 -fPIC -I/usr/local/include pam_krb5_sess.c
gcc -c -O2 -fPIC -I/usr/local/include support.c
gcc -o pam_krb5.so.1 -G pam_krb5_auth.o pam_krb5_pass.o pam_krb5_acct.o
pam_krb5_sess.o support.o -lpam -lnsl -lsocket -L/usr/local/lib -lkrb5
-lk5crypto -lcom_err
# gmake install
cp pam_krb5.so.1 /usr/lib/security
chown root:sys /usr/lib/security/pam_krb5.so.1
ln -s ./pam_krb5.so.1 /usr/lib/security/pam_krb5.so
cp pam_krb5.5 /usr/local/man/man5
chown root:sys /usr/local/man/man5/pam_krb5.5
# ls -l /usr/lib/security/pam_krb5.so*
lrwxrwxrwx   1 root     other         15 Sep 14 15:31 /usr/lib/security/pam_krb5.so -> 
./pam_krb5.so.1
-rwxr-xr-x   1 root     sys        27392 Sep 14 15:31 /usr/lib/security/pam_krb5.so.1
#

*** With telnet ***

When I try to telnet from my RH 7.1 box, I'm refused login and the
following error appears in /var/adm/messages whether or not I use a valid
username/password pair:

Sep 12 22:06:56 monster login: [ID 487707 auth.error] load_modules: can not open 
module /usr/lib/security/pam_krb5.so.1

*** via SSH ***

I try logging in from my RH 7.1 box with "ssh -C -v -l username hostname".
Trying the wrong password fails, and trying the right password does the
same as with the stock Solaris pam_krb5 PAM but yields the following error
in /var/adm/messages:

Sep 14 15:59:11 monster sshd[13897]: [ID 800047 auth.crit] fatal: PAM setcred 
failed[3]: Error in underlying service module




My system:
Solaris 8 on an Enterprise 420R w/4 CPUs, 4GB RAM, 2 18GB hard drives

# uname -a
SunOS monster 5.8 Generic_108528-10 sun4u sparc SUNW,Ultra-80
#

Also, I'm using MIT's Kerberos 1.2.2 which configured, compiled and
installed to /usr/local without any trouble.  It just occurred to me that
I didn't remove the default Solaris kerberized apps, but I'm not sure if
that matters.

Any and all advice would be greatly appreciated.  I'm stumped.


My pam.conf:

...begin pam.conf...

#
#ident  "@(#)pam.conf   1.14    99/09/16 SMI"
#
# Copyright (c) 1996-1999, Sun Microsystems, Inc.
# All Rights Reserved.
#
# PAM configuration
#
# Authentication management
#
login   auth sufficient /usr/lib/security/$ISA/pam_unix.so.1 
login   auth sufficient /usr/lib/security/$ISA/pam_dial_auth.so.1 
#
rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
rlogin  auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
#
dtlogin auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
#
rsh     auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
su      auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
other   auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
#
# Account management
#
login   account requisite       /usr/lib/security/$ISA/pam_roles.so.1 
login   account required        /usr/lib/security/$ISA/pam_unix.so.1 
#
dtlogin account requisite       /usr/lib/security/$ISA/pam_roles.so.1 
dtlogin account required        /usr/lib/security/$ISA/pam_unix.so.1 
#
other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1 
other   account required        /usr/lib/security/$ISA/pam_unix.so.1 
#
# Session management
#
other   session required        /usr/lib/security/$ISA/pam_unix.so.1 
#
# Password management
#
other   password required /usr/lib/security/$ISA/pam_unix.so.1 
dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
rlogin  auth required   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
login   auth required   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
dtlogin auth required   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
other   auth required   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
other   account optional /usr/lib/security/$ISA/pam_krb5.so.1
other   session optional /usr/lib/security/$ISA/pam_krb5.so.1
other   password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass

...end pam.conf...


*** update ***

With the pam.conf quoted below, I'm now able to login via SSH (using the
stock Solaris PAM), but my ticket is owned by 'root' rather than the actual
user...  Huh?


... begin modified pam.conf ...

#
#ident  "@(#)pam.conf   1.14    99/09/16 SMI"
#
# Copyright (c) 1996-1999, Sun Microsystems, Inc.
# All Rights Reserved.
#
# PAM configuration
#
# Authentication management
#
login   auth required   /usr/lib/security/$ISA/pam_unix.so.1 
login   auth required   /usr/lib/security/pam_krb5.so.1 try_first_pass
#
rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
rlogin  auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
#
dtlogin auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
#
rsh     auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
su      auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
other   auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
#
# Account management
#
login   account requisite       /usr/lib/security/$ISA/pam_roles.so.1 
login   account required        /usr/lib/security/$ISA/pam_unix.so.1 
#
dtlogin account requisite       /usr/lib/security/$ISA/pam_roles.so.1 
dtlogin account required        /usr/lib/security/$ISA/pam_unix.so.1 
#
other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1 
other   account required        /usr/lib/security/$ISA/pam_unix.so.1 
#
# Session management
#
other   session required        /usr/lib/security/$ISA/pam_unix.so.1 
#
# Password management
#
other   password required /usr/lib/security/$ISA/pam_unix.so.1 
dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
rlogin  auth required   /usr/lib/security/pam_krb5.so.1 try_first_pass
#login   auth required   /usr/lib/security/pam_krb5.so.1 try_first_pass
dtlogin auth required   /usr/lib/security/pam_krb5.so.1 try_first_pass
other   auth required   /usr/lib/security/pam_krb5.so.1 try_first_pass
dtlogin account optional /usr/lib/security/pam_krb5.so.1
other   account optional /usr/lib/security/pam_krb5.so.1
other   session optional /usr/lib/security/pam_krb5.so.1
other   password optional /usr/lib/security/pam_krb5.so.1 try_first_pass

... end modified pam.conf ...


Thanks in advance for any help you can provide.

-- 

Graham Freeman                  UNIX Systems Manager
CATS-Instructional Computing    tel: +1 831 459 2472
U.C. Santa Cruz, CA, USA        http://www.ic.ucsc.edu/help/
pam_krb5 problems on Solaris 8 (repost sans MIME)

Reply via email to
