Solaris 10 + pam_krbs + Active Directory.. What am I doing wrong? - Kerberos

This is a discussion on Solaris 10 + pam_krbs + Active Directory.. What am I doing wrong? - Kerberos ; I am trying to set up my Solaris 10 box so that I can authenticate against my Active directory Domain. For the application that I am using this for all I need to do is authenticate against the domain, I ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Solaris 10 + pam_krbs + Active Directory.. What am I doing wrong?

  1. Solaris 10 + pam_krbs + Active Directory.. What am I doing wrong?

    I am trying to set up my Solaris 10 box so that I can authenticate against
    my Active directory Domain. For the application that I am using this for all
    I need to do is authenticate against the domain, I do not need to be able to
    return other info (like home directory, user info, ect)

    I have krb5 set up and when I do a kinit username it will authenticate
    against the active directory domain, and it reports success.

    I have now set up pam to use pam_krb5.so, but I get the error
    "krb5_verify_init_creds failed: New Password cannot be zero length" when I
    try to log on using any pam enabled service (ssh, console, pop3 ect).
    Dispite the error, in the Windows event log, I see a sucessfull logon.

    I created a account on the AD domain and used the ktpass command to create
    the keytab file:
    ktpass -princ host/my_solaris_box.mydomain.com@MYDOMAIN.COM -mapuser
    my_solaris_box -pass My_Password_for_This_Account -out my_solaris_box.keytab

    I then moved that keytab file to /etc/krb5/krb5.keytab. I also tried using
    ktutil to read the file and write a new keytab file.

    When I enable pam_krb5 debugging I get the following:
    ================================================== ==========================================
    [ID 634615 local0.debug] pam_authtok_getam_sm_authenticate: flags = 0
    [ID 896952 local0.debug] pam_unix_auth: entering pam_sm_authenticate()
    [ID 655841 local0.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
    [ID 549540 local0.debug] PAM-KRB5 (auth): attempt_krb5_auth: start:
    user='testuser'
    [ID 704353 local0.debug] PAM-KRB5 (auth): Forwardable tickets requested
    [ID 912857 local0.debug] PAM-KRB5 (auth): Renewable tickets requested
    [ID 179272 local0.debug] PAM-KRB5 (auth): attempt_krb5_auth:
    krb5_get_init_creds_password returns: SUCCESS
    [ID 537602 local0.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: New
    password cannot be zero length
    [ID 399723 local0.debug] PAM-KRB5 (auth): clearing initcreds in
    pam_authenticate()
    [ID 833335 local0.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 4
    [ID 914654 local0.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env,
    result =4, env ='KRB5CCNAME=FILE:/tmp/krb5cc_502', age = 0, status = 4
    [ID 525286 local0.debug] PAM-KRB5 (auth): end: System error
    [ID 490997 local0.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 4
    ================================================== ==========================================

    In the NT event log I can see the following when I try to log on:
    ================================================== =================================
    Event Type: Success Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 672
    Date: 3/2/2006
    Time: 11:07:58 AM
    User: NT AUTHORITY\SYSTEM
    Computer: MY_AD_SERVER
    Description:
    Authentication Ticket Request:
    User Name: my_test_user
    Supplied Realm Name: MYDOMAIN.COM
    User ID: MYDOMAIN\my_test_user
    Service Name: krbtgt
    Service ID: MYDOMAIN\krbtgt
    Ticket Options: 0x40800010
    Result Code: -
    Ticket Encryption Type: 0x17
    Pre-Authentication Type: 2
    Client Address: 192.168.1.23
    Certificate Issuer Name:
    Certificate Serial Number:
    Certificate Thumbprint:

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    ================================================== =================================

    If I monitor the network trafic I see the following error:
    ================================================== ======
    KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
    ================================================== ======
    I am not sure if this is something that is a actual error, or just part of
    the normal Krb5 communication before a user is prompted to for their
    password.

    I found that if I went into the users account on the AD controler and
    checked off the box
    "Do not require Kerberos preauthentication" I would get the error "PAM-KRB5
    (auth): krb5_verify_init_creds failed: Matching credential not found"

    The Windows account i am trying to use is active and I can log onto windows
    workstations with it. I have also tried a number of other windows accounts
    with the same results.


    Windows Server = Windows Server 2003 Service Pack 1
    Solaris System = Solaris 10

    Does any one have any ideas?


    -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*


    Here are the details of the files that I am using:

    krb5.conf:
    =======================
    [libdefaults]
    default_realm = MYDOMAIN.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false

    [realms]
    MYDOMAIN.COM = {
    kdc = my_ad_server.mydomain.com
    admin_server = my_ad_server.mydomain.com
    }

    [domain_realm]
    ..mydomain.com = MYDOMAIN.COM
    mydomain.com = MYDOMAIN.COM

    [logging]
    default = FILE:/var/krb5/kdc.log
    kdc = FILE:/var/krb5/kdc.log
    kdc_rotate = {
    period = 1d
    versions = 10
    }

    [appdefaults]
    kinit = {
    renewable = true
    forwardable= true
    }
    pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }

    gkadmin = {
    help_url = http://docs.sun.com:80/ab2/coll.384....2PageView/1195
    }
    =======================

    kdc.conf
    =======================
    [kdcdefaults]
    kdc_ports = 88,750

    [realms]
    MYDOMAIN.COM = {
    profile = /etc/krb5/krb5.conf
    database_name = /var/krb5/principal
    admin_keytab = /etc/krb5/kadm5.keytab
    acl_file = /etc/krb5/kadm5.acl
    kadmind_port = 749
    max_life = 8h 0m 0s
    max_renewable_life = 7d 0h 0m 0s
    default_principal_flags = +preauth
    }
    =======================

    pam.conf (this has changed about a thousand times in my attempts)
    =======================
    login auth requisite pam_authtok_get.so.1
    login auth required pam_dhkeys.so.1
    #login auth sufficient /usr/lib/security/pam_ldap.so.1 try_first_pass
    login auth optional pam_krb5.so.1
    login auth required pam_unix_cred.so.1
    login auth required pam_unix_auth.so.1
    login auth required pam_dial_auth.so.1


    # rlogin service (explicit because of pam_rhost_auth)
    rlogin auth sufficient pam_rhosts_auth.so.1
    rlogin auth requisite pam_authtok_get.so.1
    rlogin auth required pam_dhkeys.so.1
    rlogin auth required pam_unix_cred.so.1
    rlogin auth required pam_unix_auth.so.1

    # Kerberized rlogin service
    krlogin auth required pam_unix_cred.so.1
    krlogin auth binding pam_krb5.so.1
    krlogin auth required pam_unix_auth.so.1

    # rsh service (explicit because of pam_rhost_auth,
    # and pam_unix_auth for meaningful pam_setcred)
    rsh auth sufficient pam_rhosts_auth.so.1
    rsh auth required pam_unix_cred.so.1

    # Kerberized rsh service
    krsh auth required pam_unix_cred.so.1
    krsh auth binding pam_krb5.so.1
    krsh auth required pam_unix_auth.so.1

    # Kerberized telnet service
    ktelnet auth required pam_unix_cred.so.1
    ktelnet auth binding pam_krb5.so.1
    ktelnet auth required pam_unix_auth.so.1

    # PPP service (explicit because of pam_dial_auth)
    ppp auth requisite pam_authtok_get.so.1
    ppp auth required pam_dhkeys.so.1
    ppp auth required pam_unix_cred.so.1
    ppp auth required pam_unix_auth.so.1
    ppp auth required pam_dial_auth.so.1

    # Default definitions for Authentication management
    # Used when service name is not explicitly mentioned for authentication
    #other auth requisite pam_authtok_get.so.1
    #other auth required pam_dhkeys.so.1
    #other auth required pam_ldap.so.1
    #other auth required pam_unix_cred.so.1
    #other auth sufficient pam_unix_auth.so.1 try_first_pass
    #other auth required /usr/lib/security/pam_ldap.so.1
    other auth required pam_krb5.so.1

    #
    # passwd command (explicit because of a different authentication module)
    passwd auth required pam_passwd_auth.so.1

    #
    # cron service (explicit because of non-usage of pam_roles.so.1)
    cron account required pam_unix_account.so.1

    #
    # Default definition for Account management
    # Used when service name is not explicitly mentioned for account management
    other account requisite pam_roles.so.1
    other account required pam_unix_account.so.1
    #other account required /usr/lib/security/pam_krb5.so.1

    # Default definition for Session management
    # Used when service name is not explicitly mentioned for session management
    other session required pam_unix_session.so.1

    #
    # Default definition for Password management
    # Used when service name is not explicitly mentioned for password management
    other password required pam_dhkeys.so.1
    other password requisite pam_authtok_get.so.1
    other password requisite pam_authtok_check.so.1
    other password required pam_authtok_store.so.1
    =======================


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Solaris 10 + pam_krbs + Active Directory.. What am I doing wrong?

    On Thu, Mar 02, 2006 at 10:09:50PM +0000, SirBob Shark___007 wrote:
    > I have now set up pam to use pam_krb5.so, but I get the error
    > "krb5_verify_init_creds failed: New Password cannot be zero length" when I
    > try to log on using any pam enabled service (ssh, console, pop3 ect).


    That is very odd indeed! We'll take a look tomorrow.

    > Dispite the error, in the Windows event log, I see a sucessfull logon.


    Yes, because the Kerberos V AS exchange succeeded -- that's all a KDC
    needs to decide to log a successful logon event message.

    > If I monitor the network trafic I see the following error:
    > ================================================== ======
    > KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
    > ================================================== ======


    This is normal.

    > I am not sure if this is something that is a actual error, or just part of
    > the normal Krb5 communication before a user is prompted to for their
    > password.
    >
    > I found that if I went into the users account on the AD controler and
    > checked off the box
    > "Do not require Kerberos preauthentication" I would get the error "PAM-KRB5
    > (auth): krb5_verify_init_creds failed: Matching credential not found"


    Is DNS configured on the Solaris machine? Does the principal name you
    gave the host match the canonical FQDN for its nodename?

    > pam.conf (this has changed about a thousand times in my attempts)
    > =======================
    > login auth requisite pam_authtok_get.so.1
    > login auth required pam_dhkeys.so.1
    > #login auth sufficient /usr/lib/security/pam_ldap.so.1 try_first_pass
    > login auth optional pam_krb5.so.1
    > login auth required pam_unix_cred.so.1
    > login auth required pam_unix_auth.so.1
    > login auth required pam_dial_auth.so.1


    The man page for pam_krb5 has a correct example. Try making pam_krb5 be
    sufficient, and if you do then make sure that pam_unix_cred comes first,
    before pam_krb5.

    Also, the 'login' service only applies to console text logins -- you
    probably don't want to use pam_krb5 for that service, but for dtlogin,
    sshd-*, etc... or just 'other'.

    Nico
    --
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Solaris 10 + pam_krbs + Active Directory.. What am I doing wrong?

    On Thu, Mar 02, 2006 at 11:52:01PM -0600, Nicolas Williams wrote:
    > On Thu, Mar 02, 2006 at 10:09:50PM +0000, SirBob Shark___007 wrote:
    > > I have now set up pam to use pam_krb5.so, but I get the error
    > > "krb5_verify_init_creds failed: New Password cannot be zero length" when I
    > > try to log on using any pam enabled service (ssh, console, pop3 ect).

    >
    > That is very odd indeed! We'll take a look tomorrow.


    Co-worker Shawn Emery wrote the following when dealing with a similar
    problem:

    One thing I noticed from the error message was that the "New
    password cannot be zero length" is mapped to the
    KRB5_KT_KVNONOTFOUND error return value. Which means that the keys
    for host/vbi.nm.nh.bar in their /etc/krb5/krb5.keytab file does not
    match those that are found in AD. Check to make sure that the
    Windows ktpass executable is not pre-w2k3, there is a known issue
    with it that always sets the key version numbers (kvno) to 1, while
    the w2k3+ AD server now enforces correct kvnos.

    --
    Will Fiveash
    Sun Microsystems Inc.
    Austin, TX, USA (TZ=CST6CDT)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread