Kerberos authentication does not seem to work when auditing isenabled on Solaris 9 - Kerberos

This is a discussion on Kerberos authentication does not seem to work when auditing isenabled on Solaris 9 - Kerberos ; I am running Solaris 9 with auditing turned on (etc/security/bsmconv). The problem I am having is that I can not logon with dtlogin via Kerberos authentication as long as auditing is enabled. If I disable auditing I have no problem ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Kerberos authentication does not seem to work when auditing isenabled on Solaris 9

  1. Kerberos authentication does not seem to work when auditing isenabled on Solaris 9

    I am running Solaris 9 with auditing turned on (etc/security/bsmconv).
    The problem I am having is that I can not logon with dtlogin via
    Kerberos authentication as long as auditing is enabled. If I disable
    auditing I have no problem logging in with my Kerberos account. I am up
    to the latest patch cluster. I have been working SUN for over a month
    and not getting anywhere. SSH, login, kinit works using Kerberos. The
    only time I have a problem is when trying to log in using dtlogin with
    Kerberos. When I try to login with my Kerberos account the screen
    flashes and then sends me back out to the login screen. the account I
    am using resides on the KDC which is a Windows 2003 DC and also within
    the passwd file. The passwords to not match so I can tell which one I
    am actually logging into.

    here is a copy of my pam.conf file which works for ssh both Kerberos and
    local, login both Kerberos and local, and dtlogin local The only issue
    I have is dtlogin using Kerberos authentication with auditing enabled.
    turn auditing off and I get right in. Any help would be greatly
    appreciated. I have duplicated the same symptoms on two different
    Solaris 9 systems. My Solaris 8 systems are working fine.

    # more pam.conf
    #
    #ident "@(#)pam.conf 1.16 01/01/24 SMI"
    #
    # Copyright (c) 1996-2000 by Sun Microsystems, Inc.
    # All rights reserved.
    #
    # PAM configuration
    #
    # Authentication management
    #
    login auth requisite pam_authtok_get.so.1
    login auth required pam_dhkeys.so.1
    login auth sufficient pam_unix_auth.so.1
    login auth sufficient pam_krb5.so.1 try_first_pass
    #
    #dtlogin auth requisite pam_authtok_get.so.1
    #dtlogin auth required pam_dhkeys.so.1
    dtlogin auth sufficient pam_unix.so.1
    dtlogin auth sufficient pam_krb5.so.1 try_first_pass debug
    #

    sshd auth requisite pam_authtok_get.so.1
    sshd auth required pam_dhkeys.so.1
    sshd auth sufficient pam_unix_auth.so.1
    sshd auth sufficient pam_krb5.so.1 use_first_pass debug
    #
    dtsession auth requisite pam_authtok_get.so.1
    dtsession auth required pam_dhkeys.so.1
    dtsession auth sufficient pam_unix_auth.so.1
    dtsession auth sufficient pam_krb5.so.1 try_first_pass
    debug
    #
    # Leave this stack for the default
    #
    ################################################## ######################
    ####
    other auth requisite pam_authtok_get.so.1
    other auth required pam_dhkeys.so.1
    other auth required pam_unix_auth.so.1
    #
    ################################################## ######################
    ####
    #
    # Account management
    #
    login account requisite pam_roles.so.1
    login account required pam_projects.so.1
    login account required pam_unix_account.so.1
    #
    dtlogin account requisite pam_roles.so.1
    dtlogin account required pam_projects.so.1
    dtlogin account required pam_unix_account.so.1
    #
    other account requisite pam_roles.so.1
    other account required pam_projects.so.1
    other account required pam_unix_account.so.1
    #
    # Session management
    #
    other session sufficient pam_krb5.so.1
    other session required pam_unix_session.so.1
    #
    # Password management
    # Leave stack for changing local passwords
    #
    ################################################## ######################
    ############
    #
    other password required pam_dhkeys.so.1
    other password requisite pam_authtok_get.so.1
    other password requisite pam_authtok_check.so.1
    other password required pam_authtok_store.so.1
    #
    ################################################## ######################
    ############
    #
    #
    # Support for Kerberos V5 authentication (uncomment to use Kerberos)
    #
    #rlogin auth optional pam_krb5.so.1 try_first_pass
    #login auth optional pam_krb5.so.1 try_first_pass
    #dtlogin auth optional pam_krb5.so.1 try_first_pass
    #other auth optional pam_krb5.so.1 try_first_pass
    #dtlogin account optional pam_krb5.so.1
    #other account optional pam_krb5.so.1
    #other session optional pam_krb5.so.1
    #other password optional pam_krb5.so.1 try_first_pass
    #
    # Support for Solaris PPP (sppp)
    ppp auth requisite pam_authtok_get.so.1
    ppp auth required pam_dhkeys.so.1
    ppp auth required pam_unix_auth.so.1
    ppp auth required pam_dial_auth.so.1
    ppp account requisite pam_roles.so.1
    ppp account required pam_projects.so.1
    ppp account required pam_unix_account.so.1
    ppp session required pam_unix_session.so.1
    passwd auth required pam_passwd_auth.so.1
    cron account required pam_unix_account.so.1
    #cron account optional pam_krb5.so.1
    #


    krb5.conf

    #
    # Copyright (c) 1998, by Sun Microsystems, Inc.
    # All rights reserved.
    #
    #pragma ident "@(#)krb5.conf 1.10 98/11/11 SMI"

    [libdefaults]
    default_realm = local.domain
    default_tkt_enctypes = des-cbc-md5
    default_tgs_enctype = des-cbc-md5

    [realms]
    local.domain= {
    kdc = xxx.xxx.xxx.x
    kdc = xxx.xxx.xxx.x
    admin_server = xxx.xx.xxx.x
    kpasswd_server = xxx.xx.xx.xx
    kpasswd_protocol= SET_CHANGE
    }

    [domain_realm]
    .local.domain= LOCAL.DOMAIN
    local.domain= LOCAL.DOMAIN

    [logging]
    default = FILE:/var/krb5/kdc.log
    kdc = FILE:/var/krb5/kdc.log



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Kerberos authentication does not seem to work when auditing isenabled on Solaris 9

    On Fri, Oct 28, 2005 at 09:51:02AM -0400, Daniels, James (Contractor) (J6B) wrote:
    > I am running Solaris 9 with auditing turned on (etc/security/bsmconv).
    > The problem I am having is that I can not logon with dtlogin via
    > Kerberos authentication as long as auditing is enabled. If I disable
    > auditing I have no problem logging in with my Kerberos account. I am up
    > to the latest patch cluster. I have been working SUN for over a month
    > and not getting anywhere. SSH, login, kinit works using Kerberos. The
    > only time I have a problem is when trying to log in using dtlogin with
    > Kerberos. When I try to login with my Kerberos account the screen
    > flashes and then sends me back out to the login screen. the account I
    > am using resides on the KDC which is a Windows 2003 DC and also within
    > the passwd file. The passwords to not match so I can tell which one I
    > am actually logging into.
    >
    > here is a copy of my pam.conf file which works for ssh both Kerberos and
    > local, login both Kerberos and local, and dtlogin local The only issue
    > I have is dtlogin using Kerberos authentication with auditing enabled.
    > turn auditing off and I get right in. Any help would be greatly
    > appreciated. I have duplicated the same symptoms on two different
    > Solaris 9 systems. My Solaris 8 systems are working fine.


    You should definitely add pam_krb5 to the account stacks of the services
    that use pam_krb5 in their auth stacks as well.

    I don't know if this will fix the problem though. Let me know.

    Nico
    --
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread