Re: Solaris 9 Pam problem

Thu, 30 Jun 2005 15:01:45 -0700 

Sorry, missed your reference to /etc/krb5/krb5.keytab

I can't tell from you email if you are using SEAM or MIT Kerberos.... but this 
I know holds true for the MIT Kerberos 1.4...

Get a copy of the keytab file from the master and place it accordingly...
MIT Kerberos 1.4 is /usr/local/var/krb5kdc/<name>.keytab

For SEAM, I believe it goes into the /etc/krb5 directory... do not recall for 
sure.

Since authentication is local with su, you need the key to decrypt the password 
which is in the keytab file.

Check you master server logs and see if it is giving you a failure to 
decrypt... that would be a good indication that the local host cannot checksum 
the tickets because the key is on the master where the password ticket was 
create... now you need that key to decrypt on the client side.

Someone will probably say I am all wet, but this is what I had to do for ssh 
between Solaris 9 boxes using pam_krb5.so.1....
Once I place a copy of the master keytab file on the SUN server, I was then 
able to authenticate using Kerberos.

Steve
Daniel Wachdorf wrote:


I am trying to setup pam (with su for starters) on a solaris 9 system.  Its
up to date with all the recommended patches.

I have a valid krb5.conf file in /etc/ and sym-linked to
/etc/krb5/krb5.conf.  It has the following in libdefaults:

default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc

I created a keytab and symlinked it to /etc/krb5/krb5.keytab.

# klist -e -k /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- -------------------------------------------------------------------------- 
  2 host/[EMAIL PROTECTED]
<mailto:host/[EMAIL PROTECTED]>  (DES-CBC-CRC)
  2 host/[EMAIL PROTECTED]
<mailto:host/[EMAIL PROTECTED]>  (DES-CBC-MD5)

I have my /etc/hosts file with (IP address X to protect the innocent):

# cat /etc/hosts
#
# Internet host table
#
127.0.0.1       localhost
134.253.X.X  vmtest2c.sandia.gov vmtest2c    loghost

I added the following to my pam.conf:

su   auth sufficient         pam_krb5.so.1
su   account sufficient      pam_krb5.so.1

When I go to su as a Kerberos account I get:

bash-2.05$ su drwachdz
Enter Kerberos password for drwachdz:
authentication failed:  Bad encryption type

The log files show:

Jun 29 16:35:06 vmtest2c su: [ID 537602 auth.error] PAM-KRB5 (auth):
krb5_verify_init_creds failed: Bad encryption type

Any ideas?

-dan


________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos


________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to