Solaris 9 Pam problem - Kerberos

This is a discussion on Solaris 9 Pam problem - Kerberos ; I am trying to setup pam (with su for starters) on a solaris 9 system. Its up to date with all the recommended patches. I have a valid krb5.conf file in /etc/ and sym-linked to /etc/krb5/krb5.conf. It has the following ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Solaris 9 Pam problem

  1. Solaris 9 Pam problem

    I am trying to setup pam (with su for starters) on a solaris 9 system. Its
    up to date with all the recommended patches.

    I have a valid krb5.conf file in /etc/ and sym-linked to
    /etc/krb5/krb5.conf. It has the following in libdefaults:

    default_tkt_enctypes = des-cbc-crc
    default_tgs_enctypes = des-cbc-crc

    I created a keytab and symlinked it to /etc/krb5/krb5.keytab.

    # klist -e -k /etc/krb5/krb5.keytab
    Keytab name: FILE:/etc/krb5/krb5.keytab
    KVNO Principal
    ----
    --------------------------------------------------------------------------
    2 host/vmtest2c.sandia.gov@dce.sandia.gov
    (DES-CBC-CRC)
    2 host/vmtest2c.sandia.gov@dce.sandia.gov
    (DES-CBC-MD5)

    I have my /etc/hosts file with (IP address X to protect the innocent):

    # cat /etc/hosts
    #
    # Internet host table
    #
    127.0.0.1 localhost
    134.253.X.X vmtest2c.sandia.gov vmtest2c loghost

    I added the following to my pam.conf:

    su auth sufficient pam_krb5.so.1
    su account sufficient pam_krb5.so.1

    When I go to su as a Kerberos account I get:

    bash-2.05$ su drwachdz
    Enter Kerberos password for drwachdz:
    authentication failed: Bad encryption type

    The log files show:

    Jun 29 16:35:06 vmtest2c su: [ID 537602 auth.error] PAM-KRB5 (auth):
    krb5_verify_init_creds failed: Bad encryption type

    Any ideas?

    -dan


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Solaris 9 Pam problem

    If you are using the /usr/lib/security/pam_krb5.so.1 module, then you
    have to place a copy or a link of the krb5.conf into the /etc/krb5
    directory.... that is where solaris 9 pam module looks for the krb5.conf
    file!

    Steve

    Daniel Wachdorf wrote:

    >I am trying to setup pam (with su for starters) on a solaris 9 system. Its
    >up to date with all the recommended patches.
    >
    >I have a valid krb5.conf file in /etc/ and sym-linked to
    >/etc/krb5/krb5.conf. It has the following in libdefaults:
    >
    >default_tkt_enctypes = des-cbc-crc
    >default_tgs_enctypes = des-cbc-crc
    >
    >I created a keytab and symlinked it to /etc/krb5/krb5.keytab.
    >
    ># klist -e -k /etc/krb5/krb5.keytab
    >Keytab name: FILE:/etc/krb5/krb5.keytab
    >KVNO Principal
    >----
    >--------------------------------------------------------------------------
    > 2 host/vmtest2c.sandia.gov@dce.sandia.gov
    > (DES-CBC-CRC)
    > 2 host/vmtest2c.sandia.gov@dce.sandia.gov
    > (DES-CBC-MD5)
    >
    >I have my /etc/hosts file with (IP address X to protect the innocent):
    >
    ># cat /etc/hosts
    >#
    ># Internet host table
    >#
    >127.0.0.1 localhost
    >134.253.X.X vmtest2c.sandia.gov vmtest2c loghost
    >
    >I added the following to my pam.conf:
    >
    >su auth sufficient pam_krb5.so.1
    >su account sufficient pam_krb5.so.1
    >
    >When I go to su as a Kerberos account I get:
    >
    >bash-2.05$ su drwachdz
    >Enter Kerberos password for drwachdz:
    >authentication failed: Bad encryption type
    >
    >The log files show:
    >
    >Jun 29 16:35:06 vmtest2c su: [ID 537602 auth.error] PAM-KRB5 (auth):
    >krb5_verify_init_creds failed: Bad encryption type
    >
    >Any ideas?
    >
    >-dan
    >
    >
    >________________________________________________
    >Kerberos mailing list Kerberos@mit.edu
    >https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Solaris 9 Pam problem

    Sorry, missed your reference to /etc/krb5/krb5.keytab

    I can't tell from you email if you are using SEAM or MIT Kerberos.... but this I know holds true for the MIT Kerberos 1.4...

    Get a copy of the keytab file from the master and place it accordingly...
    MIT Kerberos 1.4 is /usr/local/var/krb5kdc/.keytab

    For SEAM, I believe it goes into the /etc/krb5 directory... do not recall for sure.

    Since authentication is local with su, you need the key to decrypt the password which is in the keytab file.

    Check you master server logs and see if it is giving you a failure to decrypt... that would be a good indication that the local host cannot checksum the tickets because the key is on the master where the password ticket was create... now you need that key to decrypt on the client side.

    Someone will probably say I am all wet, but this is what I had to do for ssh between Solaris 9 boxes using pam_krb5.so.1....
    Once I place a copy of the master keytab file on the SUN server, I was then able to authenticate using Kerberos.

    Steve
    Daniel Wachdorf wrote:

    >I am trying to setup pam (with su for starters) on a solaris 9 system. Its
    >up to date with all the recommended patches.
    >
    >I have a valid krb5.conf file in /etc/ and sym-linked to
    >/etc/krb5/krb5.conf. It has the following in libdefaults:
    >
    >default_tkt_enctypes = des-cbc-crc
    >default_tgs_enctypes = des-cbc-crc
    >
    >I created a keytab and symlinked it to /etc/krb5/krb5.keytab.
    >
    ># klist -e -k /etc/krb5/krb5.keytab
    >Keytab name: FILE:/etc/krb5/krb5.keytab
    >KVNO Principal
    >----
    >--------------------------------------------------------------------------
    > 2 host/vmtest2c.sandia.gov@dce.sandia.gov
    > (DES-CBC-CRC)
    > 2 host/vmtest2c.sandia.gov@dce.sandia.gov
    > (DES-CBC-MD5)
    >
    >I have my /etc/hosts file with (IP address X to protect the innocent):
    >
    ># cat /etc/hosts
    >#
    ># Internet host table
    >#
    >127.0.0.1 localhost
    >134.253.X.X vmtest2c.sandia.gov vmtest2c loghost
    >
    >I added the following to my pam.conf:
    >
    >su auth sufficient pam_krb5.so.1
    >su account sufficient pam_krb5.so.1
    >
    >When I go to su as a Kerberos account I get:
    >
    >bash-2.05$ su drwachdz
    >Enter Kerberos password for drwachdz:
    >authentication failed: Bad encryption type
    >
    >The log files show:
    >
    >Jun 29 16:35:06 vmtest2c su: [ID 537602 auth.error] PAM-KRB5 (auth):
    >krb5_verify_init_creds failed: Bad encryption type
    >
    >Any ideas?
    >
    >-dan
    >
    >
    >________________________________________________
    >Kerberos mailing list Kerberos@mit.edu
    >https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread