Solaris using Kerberos

David A Flores Tue, 07 Dec 2004 14:44:29 -0800

Help anyone,
We are using a Windows domain controller as a KDC and we are trying to
authenticate a Solaris 9.0 OS box using Kerberos.  The following is the
command we use to create the keytab file:


ktpass -princ host/[EMAIL PROTECTED] -mapuser dean19 -pass * -out
c:\dean19.keytab

Once we create the keytab file we send it to the sever via ssh.  Attached
are the pam.conf file and the krb5.conf that we configured.  One the
computer called dean19 we ran the ktutil

rkt /etc/krb5/dean.keytab
wkt /etc/krb5/krb5.keytab

After the rkt and the wkt commands we do a list and it shows a "slot KVNO
Principal"

We then validate the server's ability to communicate with the MS Kerberos
Domain Controller by requesting a Ticket Granting Ticket using kinit.

We then use klist to verify that a TGT has been issued.

But when we try to login to the box we get the following error.

Dec  7 16:27:38 dean19 login: [ID 537602 auth.error] PAM-KRB5 (auth):
krb5_verify_init_creds failed: Key table entry not found


We tried it on 2 solaris machines and we are getting the same error.  Does
anyone know why this might be happening?  



David Flores
Medical School Information Technology
System Analyst II
713-500-5211

#
#ident  "@(#)pam.conf   1.20    02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth sufficient         pam_krb5.so.1 try_first_pass
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass

[libdefaults]
        default_realm = UTHSCH.EDU
        default_keytab_name = FILE:/etc/krb5/krb5.keytab
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[realms]
                UTHSCH.EDU = {
                kdc = msdc1.uthsch.edu
                admin_server = msdc1.uthsch.edu
        }

[domain_realm]
        .uthsch.edu = UTHSCH.EDU
        uthsch.edu = UTHSCH.EDU

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log

[appdefaults]
        gkadmin = {
                help_url = 
http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
        }

smime.p7s
Description: S/MIME cryptographic signature

________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Solaris using Kerberos

Reply via email to