I am trying to get Single-Sing-On working with the *NIX boxes on our campus network. The Windows AD is controlled by our outsourced IT group so we can't drive any requirements on it. I have my Redhat Enterprise Linux boxes authenticating correctly to the AD domain. However I've hit the wall with Solaris 8 (we have a mix of Solaris, I started with 8).
I compiled and installed MIT Kerberos 1.4.1 on a new Solaris 8 2/04 system. I configured the /etc/krb5.conf for the AD domain and kinit returns a ticket (works as root or unprivileged user). I configured /etc/pam.conf for kerberos: # PAM configuration # # This file is configured to try pam_unix first, then pam_krb5 # # Authentication management # other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1 other auth required /usr/lib/security/$ISA/pam_krb5.so.1 use_first_pass # # Account management # # pam_krb5 has a no-op account module, so we don't bother listing it here # other account requisite /usr/lib/security/$ISA/pam_roles.so.1 other account required /usr/lib/security/$ISA/pam_projects.so.1 other account required /usr/lib/security/$ISA/pam_unix.so.1 # # Session management # # pam_krb5 destroys any credential cache on session close, so it's good # to have it here. However, we also need pam_unix to be called, so don't # make pam_krb5 "sufficient". # other session optional /usr/lib/security/$ISA/pam_krb5.so.1 other session required /usr/lib/security/$ISA/pam_unix.so.1 # # Password management # # You may have to fiddle with this if you have other account databases. # If you have some centralized user management tool that users use to # change their password then you may just want to remove the pam_krb5 # here. # other password sufficient /usr/lib/security/$ISA/pam_unix.so.1 other password required /usr/lib/security/$ISA/pam_krb5.so.1 use_first_pass # I created a Solaris account for the principal (first.last), made sure there was no shadow file entry for the account, then tried to login using the principal name and kerberos passwd. Login incorrect I added logging to the pam.conf configuration and these are the messages in /var/adm/messages: Jun 29 14:44:27 rupfert login: [ID 264565 auth.debug] PAM-KRB5: auth: pam_sm_authenticate flags = 0 Jun 29 14:44:27 rupfert login: [ID 405806 auth.debug] PAM-KRB5: attempt_krb5_login: start: user='First.Last', uid=10526 Jun 29 14:44:27 rupfert login: [ID 730853 auth.debug] PAM-KRB5: auth: krb5_login: tkt_with_pw returns: KRB5 error code 52 Jun 29 14:44:27 rupfert login: [ID 410402 auth.debug] PAM-KRB5: attempt_krb5_login returning 9 Jun 29 14:44:27 rupfert login: [ID 892699 auth.debug] PAM-KRB5: pam_sm_auth finalize ccname env, result = 9, env = 'KRB5CCNAME=FILE:/tmp/krb5cc_10526', age = 0, status = 9 Jun 29 14:44:27 rupfert login: [ID 753808 auth.debug] PAM-KRB5: sm_auth: returning 9 Jun 29 14:44:35 rupfert login: [ID 174864 auth.debug] PAM-KRB5: krb5_cleanup pam_sm_auth_status(9) Any ideas would be greatly appreciated. Russ... ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
