I am running Solaris 9 with auditing turned on (etc/security/bsmconv).
The problem I am having is that I can not logon with dtlogin via
Kerberos authentication as long as auditing is enabled. If I disable
auditing I have no problem logging in with my Kerberos account. I am up
to the latest patch cluster. I have been working SUN for over a month
and not getting anywhere. SSH, login, kinit works using Kerberos. The
only time I have a problem is when trying to log in using dtlogin with
Kerberos. When I try to login with my Kerberos account the screen
flashes and then sends me back out to the login screen. the account I
am using resides on the KDC which is a Windows 2003 DC and also within
the passwd file. The passwords to not match so I can tell which one I
am actually logging into.
here is a copy of my pam.conf file which works for ssh both Kerberos and
local, login both Kerberos and local, and dtlogin local The only issue
I have is dtlogin using Kerberos authentication with auditing enabled.
turn auditing off and I get right in. Any help would be greatly
appreciated. I have duplicated the same symptoms on two different
Solaris 9 systems. My Solaris 8 systems are working fine.
# more pam.conf
#
#ident "@(#)pam.conf 1.16 01/01/24 SMI"
#
# Copyright (c) 1996-2000 by Sun Microsystems, Inc.
# All rights reserved.
#
# PAM configuration
#
# Authentication management
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth sufficient pam_krb5.so.1 try_first_pass
#
#dtlogin auth requisite pam_authtok_get.so.1
#dtlogin auth required pam_dhkeys.so.1
dtlogin auth sufficient pam_unix.so.1
dtlogin auth sufficient pam_krb5.so.1 try_first_pass debug
#
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth sufficient pam_unix_auth.so.1
sshd auth sufficient pam_krb5.so.1 use_first_pass debug
#
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth sufficient pam_unix_auth.so.1
dtsession auth sufficient pam_krb5.so.1 try_first_pass
debug
#
# Leave this stack for the default
#
########################################################################
####
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1
#
########################################################################
####
#
# Account management
#
login account requisite pam_roles.so.1
login account required pam_projects.so.1
login account required pam_unix_account.so.1
#
dtlogin account requisite pam_roles.so.1
dtlogin account required pam_projects.so.1
dtlogin account required pam_unix_account.so.1
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
#
# Session management
#
other session sufficient pam_krb5.so.1
other session required pam_unix_session.so.1
#
# Password management
# Leave stack for changing local passwords
#
########################################################################
############
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
########################################################################
############
#
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#dtlogin auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#dtlogin account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
#
# Support for Solaris PPP (sppp)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
ppp account requisite pam_roles.so.1
ppp account required pam_projects.so.1
ppp account required pam_unix_account.so.1
ppp session required pam_unix_session.so.1
passwd auth required pam_passwd_auth.so.1
cron account required pam_unix_account.so.1
#cron account optional pam_krb5.so.1
#
krb5.conf
#
# Copyright (c) 1998, by Sun Microsystems, Inc.
# All rights reserved.
#
#pragma ident "@(#)krb5.conf 1.10 98/11/11 SMI"
[libdefaults]
default_realm = local.domain
default_tkt_enctypes = des-cbc-md5
default_tgs_enctype = des-cbc-md5
[realms]
local.domain= {
kdc = xxx.xxx.xxx.x
kdc = xxx.xxx.xxx.x
admin_server = xxx.xx.xxx.x
kpasswd_server = xxx.xx.xx.xx
kpasswd_protocol= SET_CHANGE
}
[domain_realm]
.local.domain= LOCAL.DOMAIN
local.domain= LOCAL.DOMAIN
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
