Chavez, James R. wrote:
> Douglas,
> Thank You for the response.
> The host name is definitely listed first as fully qualified in
> /etc/hosts. For Linux this was more than enough but for whatever reason
> this did not help in Solaris 10. Once I added the DNS entry and
> sshd-kbdint entries the authentication was succesfull but no logging.
>
> I agree that they could add this entry to DNS, the box does indeed
> follow their naming scheme. I wanted to see if the --dns-update flag was
> effective which it was at a cost it seems. I will ask that the DNS entry
> be added in the future to avoid rebuilding Samba and installing MIT
> 1.6.3. Although if possible I would rather not use Solaris Kerberos
> libraries and use MIT from source instead. Or if I can reinstall
> packages that contain the Solaris pam_krb5 libs perhaps that would help
> get the logging back.
>
> We are using Windows 2003 as the KDC. The domainname of DNS does match
> our Active Directory Kerberos realm name.
> I did use the net ads join after recompiling Samba and the --dns-update
> flag worked nicely. I will most likely need the features of Samba down
> the road, but in the future I will probably opt for adding the entry
> directly to DNS to avoid this issue.
>
> Could you briefly ellaborate on another method of using AD as the KDC
> without Samba?


You have not said anything about how you got a host principal register
in AD and how you initialized the /etc/krb5/krb5/keytab. (Solaris default.)
But you used the samba net ads join, which does do these for you.

The first place to start is:
http://technet.microsoft.com/en-us/l.../bb742433.aspx

It gives all the basics, and talks about ktpass. There are newer versions
of ktpass for 2003 and XP. Solairs, MIT, Heimdal and W2003 can all do
more then DES, so use RC4.

There is also msktutil (Google for it) that is run on Unix by someone with
join type AD admin privilages. It uses LDAP to create an account for the
host in AD and generate a krb5.keytab. (We use this.)

Sun has a script, adjoin.sh, that is similar to msktutil, that use LDAP.
See: http://www.sun.com/bigadmin/features....jsp?cid=e5595

Keep in mind that Kerberos does authentication. You will still need
authorization. NIS, LDAP or local passwd files can provide this.
look at nsswitch.conf. AD and Samba add authorization data to the Kerberos
tickets (PAC with user and group info) which Windows uses, and Samba can
map, so the distinction gets a little muddled. If you use LDAP
for authorization, AD could also be used.


Also Google for: Solaris ldap kerberos active directory
which can give you more pointers.

We use msktutil, with AD 2003, and the Solairs 10 provided Kerberos,
pam_krb5, ssh and sshd. We also have AFS, and use pam_afs_session,
and have a local pam_krb5_ccache module to allow sshd to have session
based ticket caches. Our DNS is separate, as is the LDAP for authorization.

>
> Thank you for the heads up on the sshd stuff, was going crazy last night
> trying to get PAM working for sshd. Blinded because pam_krb5 was not
> throwing any debug info for failed logins. I added sshd-kbdint entries
> to pam.conf and logins succeeded. Prior to the MIT install I was
> getting the "hostname cannot be canonicalized" messages so I worked on
> that which included the Samba and MIT installs. The pam_krb5
> authentication would still have failed because I did not have the
> sshd-kbdint entries listed but at the time I did not know because I was
> stuck on the DNS issue.
> The info you posted about the sshd stuff below is invaluable and I do
> not know how I missed that! I read the man page for sshd_config but did
> not consider sshd for some reason.
>
> Thank you
> James
>
>
>
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert@anl.gov]
> Sent: Wednesday, September 10, 2008 12:14 PM
> To: Chavez, James R.
> Cc: kerberos@mit.edu
> Subject: Re: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3
>
>
>
> Chavez, James R. wrote:
>> Doug, Thanks for the reply.
>> I am actually using kerberos for authenticating logins through ssh.
>> Because I had no DNS entry for this Solaris box I was getting the
>> following debug output from pam_krb5.
>>
>> Aug 26 10:24:21 solaris1.example.com sshd[1147]: [ID 537602
>> auth.error]
>> PAM-KRB5 (auth): krb5_verify_init_creds failed:
>> Hostname cannot be canonicalized.

>
> This sounds like the sshd can not determine its FQDN. A host should be
> able to determine its name without DNS.
> This could be a /etc/hosts issue. The hostname should be fully qualified
> and listed in /etc/hosts before any short name. Also check `hostname` to
> make sure it is fully qualified.
>
>> This is indicative of DNS issues according to the Solaris Kerberos
>> Commom errors guide.
>> The The Windows team controls DNS and I am not on the Windows team.

>
> The other approach is to use a valid hostname that they will add to DNS.
> DNS is not Windows centric, and they should be able to add other names
> too.
>
> Are you using Windows AD for the KDC? (We do.) If not does your realm
> name match any AD domain names?
> If yes, then you will have issues down the road. Best to pick a realm
> name that does not conflict with a domain name.
>
>> A
>> work around for me was to use Samba's net utility However Solaris 10's

>
>> version was not built with the proper flag to allow this. So I needed
>> to upgrade Samba to accomplish this. The Samba configure script was
>> bombing looking for krb5 libs, so I installed MIT and pointed it

> there.
>
> So you are trying to use Samba to get around the DNS issue?
> I don't think you need samba at all.
>
> Are you trying to use Samba's net join? i.e. use AD as the KDC?
> There are other ways to do this, if you don't need other Samba features.
>
>>
>> Since I upgraded Samba and added the DNS entry I can successfully
>> login using kerberos creds with pam_krb5, however now the debug output

>
>> is no longer visible. Could be that everything is working flawlwessly
>> but the debug flag should still populate the messages log with
>> pam_krb5 entries regardless of success or failure I would think. At
>> least with Linux this is true.

>
> I should point out that the Solaris sshd calls pam with different
> Service Names depending on how the authentication is being done.
> (login is not one of them.) See the man sshd:
>
>> __________________________________________________ __________
>> | SSHv2 Userauth | PAM Service Name |
>> |_____________________________|___________________ __________|
>> | none | sshd-none |
>> |_____________________________|___________________ __________|
>> | password | sshd-password |
>> |_____________________________|___________________ __________|
>> | keyboard-interactive | sshd-kbdint |
>> |_____________________________|___________________ __________|
>> | pubkey | sshd-pubkey |
>> |_____________________________|___________________ __________|
>> | hostbased | sshd-hostbased |
>> |_____________________________|___________________ __________|
>> | gssapi-with-mic | sshd-gssapi |
>> |_____________________________|___________________ __________|
>> | gssapi-keyex | sshd-gssapi |
>> |_____________________________|___________________ __________|
>>

>
> So this may be a pam.conf issue. When sshd-gssapi is called,
> pam_krb5 is not used at all! Only the account and session are called to
> do other things.
>
> pam_krb5 is used only for passwords and thus only for password or
> keyboard-interactive.
>
>> To answer your questions.
>> When you say pam_krb5 fails, is it failing for the normal login
>> without any samba involved, or only when a samba program is calling
>> pam which calls pam_krb5?
>> --This is during a normal login with no Samba involved. I am looking
>> for verbose output for success or failure.
>> Is this the Solaris provided pam_krb5, or did you build an open source

>
>> version?
>> --This is the Solaris version of pam_krb5.
>> Did you replace any of the /usr/lib/krb5 libs?
>> --The /usr/lib/krb5 libs should be intact, I installed the MIT stuff
>> into /usr/local, the default.
>> ldd /usr/lib/security/pam_krb5.so.1
>> libkadm5clnt.so.1 => /usr/lib/krb5/libkadm5clnt.so.1
>> mech_krb5.so.1 => /usr/lib/gss/mech_krb5.so.1
>> libpam.so.1 => /lib/libpam.so.1
>> libnsl.so.1 => /lib/libnsl.so.1
>> libc.so.1 => /lib/libc.so.1
>> libgss.so.1 => /usr/lib/libgss.so.1
>> libsocket.so.1 => /lib/libsocket.so.1
>> libresolv.so.2 => /lib/libresolv.so.2
>> libpkcs11.so.1 => /usr/lib/libpkcs11.so.1
>> libcmd.so.1 => /lib/libcmd.so.1
>> libmp.so.2 => /lib/libmp.so.2
>> libmd.so.1 => /lib/libmd.so.1
>> libscf.so.1 => /lib/libscf.so.1
>> libcryptoutil.so.1 => /usr/lib/libcryptoutil.so.1
>> libdoor.so.1 => /lib/libdoor.so.1
>> libuutil.so.1 => /lib/libuutil.so.1
>> libgen.so.1 => /lib/libgen.so.1
>> libm.so.2 => /lib/libm.so.2
>> /platform/SUNW,Ultra-60/lib/libc_psr.so.1
>> /platform/SUNW,Ultra-60/lib/libmd_psr.so.1
>> I ran a truss of klist and kinit and everything seems to be normal. I
>> would not know how to directly invoke a truss of pam_krb5 however.
>> Well at least kerberos is authenticating..Would be nice to see some
>> debug though. Perhaps I can reinstall or freshen the pam_krb5 on my
>> Solaris box? I will have to look into that.
>>
>> Thank you
>> James
>>
>>
>>
>> -----Original Message-----
>> From: Douglas E. Engert [mailto:deengert@anl.gov]
>> Sent: Wednesday, September 10, 2008 7:28 AM
>> To: Chavez, James R.
>> Cc: kerberos@mit.edu
>> Subject: Re: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3
>>
>>
>>
>> Chavez, James R. wrote:
>>> Hello,
>>> Please point me to the correct list if this is wrong.
>>> I was having an issue compiling samba3.2.3 on my Solaris 10 box. It
>>> would not compile with the native Solaris 10 Kerberos libraries. I
>>> installed MIT Kerberos 1.6.3 from source and was able to successfully

>
>>> install Samba by pointing it to the MIT libraries.
>>> Prior to installing MIT 1.6.3 Kerberos, I was getting debug
>>> information from pam_krb5.so.1. Since the installation however I get
>>> nothing. I get nothing in the messages log concerning the failed
>>> kerberos login attempts nor for successful. Is there something I can
>>> do to get pam_krb5 to log messages again? Something perhaps I forgot
>>> to do after installing the MIT version. As I understand it, Solaris
>>> 10
>>> Kerberos is based on MIT Kerberos. The way I was getting debug info
>>> from pam_krb5.so.1 previously was by appending debug to the lines in
>>> pam.conf. Does installing the MIT version of Kerberos change the way
>>> pam_krb5 logs debug output? Perhaps in the app_defaults section in
>>> the

>> krb5.conf file?
>>
>> When you say pam_krb5 fails, is it failing for the normal login
>> without any samba involved, or only when a samba program is calling
>> pam which calls pam_krb5?
>>
>> Is this the Solaris provided pam_krb5, or did you build an open source

>
>> version?
>>
>> Did you replace any of the /usr/lib/krb5 libs?
>>
>> It could be a problem of the samba program loading the MIT libs, and
>> the
>> pam_krb5 loading /usr/lib/krb5/libkadm5clnt.so.1 and
>> /usr/lib/gss/mech_krb5.so.1. There have duplicate routine names. The
>> pam_krb5 may be calling the MIT versions of these routines and

> failing.
>> If you can run the program under truss you can see what libs are
>> loaded, and maybe where the pam_krb5 is failing.
>>
>>
>>> Thanks
>>> James
>>>
>>> pam.conf
>>> -----------------------
>>> #login
>>> login auth requisite pam_authtok_get.so.1
>>> login auth required pam_dhkeys.so.1
>>> login auth sufficient pam_krb5.so.1 debug
>>> login auth required pam_unix_auth.so.1
>>> login account optional pam_krb5.so.1 debug
>>> login session required pam_unix_session.so.1
>>> login session optional pam_krb5.so.1 debug
>>> login password optional pam_krb5.so.1 debug
>>>
>>>
>>> CONFIDENTIALITY
>>> This e-mail message and any attachments thereto, is intended only for

>> use by the addressee(s) named herein and may contain legally
>> privileged and/or confidential information. If you are not the
>> intended recipient of this e-mail message, you are hereby notified
>> that any dissemination, distribution or copying of this e-mail
>> message, and any attachments thereto, is strictly prohibited. If you
>> have received this e-mail message in error, please immediately notify
>> the sender and permanently delete the original and any copies of this

> email and any prints thereof.
>>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL

>> IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the
>> Uniform Electronic Transactions Act or the applicability of any other
>> law of similar substance and effect, absent an express statement to
>> the contrary hereinabove, this e-mail message its contents, and any
>> attachments hereto are not intended to represent an offer or
>> acceptance to enter into a contract and are not otherwise intended to
>> bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries),

>
>> or any other person or entity.
>>> ________________________________________________
>>> Kerberos mailing list Kerberos@mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>

>


--

Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444