Hi All- I'm hoping some of you Sun Kerberos gurus can tell me if my problem can be resolved... Basically I have my test Solaris 10 system set up to authenticate, via PAM, in 3 ways.
First it checks if you have a local account and then let's you in if so. Second it checks to see if you have a Kerberos account and if so authenticates you using Kerberos (getting a ticket) and uses LDAP account information. Third, if you have no Kerberos account, it checks your LDAP password and if correct let's you in using your LDAP account info. Basically I can get things working but the Kerberos PAM module is VERY chatty! If I log in with my LDAP password, pam_krb5 always tells me "Kerberos authentication failed" during dtlogin or ssh login, and then let's me in. But it's very annoying, and will confuse my users. Example: (logging in using LDAP password): % ssh weiler at testhost weiler at testhost's password: Kerberos authentication failed Last login: Fri Jun 30 08:33:26 2006 from banshee.cse.ucs You have mail. testhost:/home/weiler% And if I use my Kerberos password it gives me no errors and logs me in. With dtlogin, a pop-up window actually pops up saying the same thing, "Kerberos Authentication Failed" and you have to click the "OK" button and then it logs you in. I guess my question is: Is there any way to tell Kerberos to be quiet? I don't care if Kerberos authentication fails when people are logging in using LDAP credentials, I just don't want it to keep telling me it failed every time. the "nowarn" flag used with pam_krb5.so.1 in pam.conf doesn't seem to help.... Here's my /etc/pam.conf if it will help: login auth requisite pam_authtok_get.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth sufficient pam_krb5.so.1 login auth sufficient pam_ldap.so.1 # dtsession auth sufficient pam_unix_auth.so.1 dtsession auth sufficient pam_krb5.so.1 dtsession auth sufficient pam_ldap.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth binding pam_krb5.so.1 krlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth binding pam_krb5.so.1 krsh auth required pam_unix_auth.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth binding pam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth sufficient pam_krb5.so.1 nowarn other auth sufficient pam_ldap.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_passwd_auth.so.1 passwd auth sufficient pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # passwd account sufficient pam_unix_account.so.1 passwd account sufficient pam_ldap.so.1 # other account sufficient pam_unix_account.so.1 other account sufficient pam_ldap.so.1 other account sufficient pam_krb5.so.1 nowarn # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session sufficient pam_unix_session.so.1 other session sufficient pam_ldap.so.1 other session sufficient pam_krb5.so.1 nowarn # # Default definition for Password management # Used when service name is not explicitly mentioned for password management other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 Thanks a million in advance for any insight! ciao, erich This message posted from opensolaris.org
