MIT Kerberos 1.4.1, Solaris 8, & AD SSO - Kerberos

This is a discussion on MIT Kerberos 1.4.1, Solaris 8, & AD SSO - Kerberos ; I am trying to get Single-Sing-On working with the *NIX boxes on our campus network. The Windows AD is controlled by our outsourced IT group so we can't drive any requirements on it. I have my Redhat Enterprise Linux boxes ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: MIT Kerberos 1.4.1, Solaris 8, & AD SSO

  1. MIT Kerberos 1.4.1, Solaris 8, & AD SSO

    I am trying to get Single-Sing-On working with the *NIX boxes on our
    campus network. The Windows AD is controlled by our outsourced IT group
    so we can't drive any requirements on it. I have my Redhat Enterprise
    Linux boxes authenticating correctly to the AD domain. However I've hit
    the wall with Solaris 8 (we have a mix of Solaris, I started with 8).

    I compiled and installed MIT Kerberos 1.4.1 on a new Solaris 8 2/04
    system. I configured the /etc/krb5.conf for the AD domain and kinit
    returns a ticket (works as root or unprivileged user).

    I configured /etc/pam.conf for kerberos:

    # PAM configuration
    #
    # This file is configured to try pam_unix first, then pam_krb5
    #
    # Authentication management
    #
    other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
    other auth required /usr/lib/security/$ISA/pam_krb5.so.1
    use_first_pass
    #
    # Account management
    #
    # pam_krb5 has a no-op account module, so we don't bother listing it
    here
    #
    other account requisite /usr/lib/security/$ISA/pam_roles.so.1
    other account required /usr/lib/security/$ISA/pam_projects.so.1
    other account required /usr/lib/security/$ISA/pam_unix.so.1
    #
    # Session management
    #
    # pam_krb5 destroys any credential cache on session close, so it's good
    # to have it here. However, we also need pam_unix to be called, so
    don't
    # make pam_krb5 "sufficient".
    #
    other session optional /usr/lib/security/$ISA/pam_krb5.so.1
    other session required /usr/lib/security/$ISA/pam_unix.so.1
    #
    # Password management
    #
    # You may have to fiddle with this if you have other account databases.
    # If you have some centralized user management tool that users use to
    # change their password then you may just want to remove the pam_krb5
    # here.
    #
    other password sufficient /usr/lib/security/$ISA/pam_unix.so.1
    other password required /usr/lib/security/$ISA/pam_krb5.so.1
    use_first_pass
    #

    I created a Solaris account for the principal (first.last), made sure
    there was no shadow file entry for the account, then tried to login
    using the principal name and kerberos passwd.

    Login incorrect

    I added logging to the pam.conf configuration and these are the messages
    in /var/adm/messages:

    Jun 29 14:44:27 rupfert login: [ID 264565 auth.debug] PAM-KRB5: auth:
    pam_sm_authenticate flags = 0
    Jun 29 14:44:27 rupfert login: [ID 405806 auth.debug] PAM-KRB5:
    attempt_krb5_login: start: user='First.Last', uid=10526
    Jun 29 14:44:27 rupfert login: [ID 730853 auth.debug] PAM-KRB5: auth:
    krb5_login: tkt_with_pw returns: KRB5 error code 52
    Jun 29 14:44:27 rupfert login: [ID 410402 auth.debug] PAM-KRB5:
    attempt_krb5_login returning 9
    Jun 29 14:44:27 rupfert login: [ID 892699 auth.debug] PAM-KRB5:
    pam_sm_auth finalize ccname env, result = 9, env =
    'KRB5CCNAME=FILE:/tmp/krb5cc_10526', age = 0, status = 9
    Jun 29 14:44:27 rupfert login: [ID 753808 auth.debug] PAM-KRB5: sm_auth:
    returning 9
    Jun 29 14:44:35 rupfert login: [ID 174864 auth.debug] PAM-KRB5:
    krb5_cleanup pam_sm_auth_status(9)

    Any ideas would be greatly appreciated.

    Russ...

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: MIT Kerberos 1.4.1, Solaris 8, & AD SSO

    On Wed, Jun 29, 2005 at 02:55:33PM -0700, Haskins, Russell wrote:
    > I am trying to get Single-Sing-On working with the *NIX boxes on our
    > campus network. The Windows AD is controlled by our outsourced IT group
    > so we can't drive any requirements on it. I have my Redhat Enterprise
    > Linux boxes authenticating correctly to the AD domain. However I've hit
    > the wall with Solaris 8 (we have a mix of Solaris, I started with 8).
    >
    > I compiled and installed MIT Kerberos 1.4.1 on a new Solaris 8 2/04
    > system. I configured the /etc/krb5.conf for the AD domain and kinit
    > returns a ticket (works as root or unprivileged user).


    But it looks like you are using the native Solaris pam_krb5 which is
    linked against the native Solaris 8 krb lib. S8 krb does not support
    TCP which looks like the error (52) that shows up in your syslog
    messages. Your choices are to disable the PAC data on the AD so the AS
    does not use TCP for krb messages (which may not be an option given what
    you wrote above), update to Solaris 10 which does support TCP for krb,
    find a pam_krb5 that is linked against the MIT 1.4.1 krb lib or have a
    Solaris support person file an escalation to get krb TCP support
    back-ported to S8.

    > I configured /etc/pam.conf for kerberos:
    >
    > # PAM configuration
    > #
    > # This file is configured to try pam_unix first, then pam_krb5
    > #
    > # Authentication management
    > #
    > other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
    > other auth required /usr/lib/security/$ISA/pam_krb5.so.1
    > use_first_pass
    > #
    > # Account management
    > #
    > # pam_krb5 has a no-op account module, so we don't bother listing it
    > here
    > #
    > other account requisite /usr/lib/security/$ISA/pam_roles.so.1
    > other account required /usr/lib/security/$ISA/pam_projects.so.1
    > other account required /usr/lib/security/$ISA/pam_unix.so.1
    > #
    > # Session management
    > #
    > # pam_krb5 destroys any credential cache on session close, so it's good
    > # to have it here. However, we also need pam_unix to be called, so
    > don't
    > # make pam_krb5 "sufficient".
    > #
    > other session optional /usr/lib/security/$ISA/pam_krb5.so.1
    > other session required /usr/lib/security/$ISA/pam_unix.so.1
    > #
    > # Password management
    > #
    > # You may have to fiddle with this if you have other account databases.
    > # If you have some centralized user management tool that users use to
    > # change their password then you may just want to remove the pam_krb5
    > # here.
    > #
    > other password sufficient /usr/lib/security/$ISA/pam_unix.so.1
    > other password required /usr/lib/security/$ISA/pam_krb5.so.1
    > use_first_pass
    > #
    >
    > I created a Solaris account for the principal (first.last), made sure
    > there was no shadow file entry for the account, then tried to login
    > using the principal name and kerberos passwd.
    >
    > Login incorrect
    >
    > I added logging to the pam.conf configuration and these are the messages
    > in /var/adm/messages:
    >
    > Jun 29 14:44:27 rupfert login: [ID 264565 auth.debug] PAM-KRB5: auth:
    > pam_sm_authenticate flags = 0
    > Jun 29 14:44:27 rupfert login: [ID 405806 auth.debug] PAM-KRB5:
    > attempt_krb5_login: start: user='First.Last', uid=10526
    > Jun 29 14:44:27 rupfert login: [ID 730853 auth.debug] PAM-KRB5: auth:
    > krb5_login: tkt_with_pw returns: KRB5 error code 52
    > Jun 29 14:44:27 rupfert login: [ID 410402 auth.debug] PAM-KRB5:
    > attempt_krb5_login returning 9
    > Jun 29 14:44:27 rupfert login: [ID 892699 auth.debug] PAM-KRB5:
    > pam_sm_auth finalize ccname env, result = 9, env =
    > 'KRB5CCNAME=FILE:/tmp/krb5cc_10526', age = 0, status = 9
    > Jun 29 14:44:27 rupfert login: [ID 753808 auth.debug] PAM-KRB5: sm_auth:
    > returning 9
    > Jun 29 14:44:35 rupfert login: [ID 174864 auth.debug] PAM-KRB5:
    > krb5_cleanup pam_sm_auth_status(9)
    >
    > Any ideas would be greatly appreciated.
    >
    > Russ...
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos


    --
    Will Fiveash
    Sun Microsystems Inc.
    Austin, TX, USA (TZ=CST6CDT)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread