Hi All-

I'm hoping some of you Sun Kerberos gurus can tell me if my problem can
be resolved... Basically I have my test Solaris 10 system set up to
authenticate, via PAM, in 3 ways.

First it checks if you have a local account and then let's you in if so.

Second it checks to see if you have a Kerberos account and if so
authenticates you using Kerberos (getting a ticket) and uses LDAP
account information.

Third, if you have no Kerberos account, it checks your LDAP password and
if correct let's you in using your LDAP account info.

Basically I can get things working but the Kerberos PAM module is VERY
chatty! If I log in with my LDAP password, pam_krb5 always tells me
"Kerberos authentication failed" during dtlogin or ssh login, and then
let's me in. But it's very annoying, and will confuse my users.

Example: (logging in using LDAP password):

% ssh weiler@testhost
weiler@testhost's password:
Kerberos authentication failed

Last login: Fri Jun 30 08:33:26 2006 from banshee.cse.ucs

You have mail.

And if I use my Kerberos password it gives me no errors and logs me in.
With dtlogin, a pop-up window actually pops up saying the same thing,
"Kerberos Authentication Failed" and you have to click the "OK" button
and then it logs you in.

I guess my question is: Is there any way to tell Kerberos to be quiet? I
don't care if Kerberos authentication fails when people are logging in
using LDAP credentials, I just don't want it to keep telling me it
failed every time. the "nowarn" flag used with pam_krb5.so.1 in pam.conf
doesn't seem to help....

Here's my /etc/pam.conf if it will help:

login auth requisite pam_authtok_get.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth sufficient pam_krb5.so.1
login auth sufficient pam_ldap.so.1
dtsession auth sufficient pam_unix_auth.so.1
dtsession auth sufficient pam_krb5.so.1
dtsession auth sufficient pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other auth sufficient pam_krb5.so.1 nowarn
other auth sufficient pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth sufficient pam_passwd_auth.so.1
passwd auth sufficient pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
passwd account sufficient pam_unix_account.so.1
passwd account sufficient pam_ldap.so.1
other account sufficient pam_unix_account.so.1
other account sufficient pam_ldap.so.1
other account sufficient pam_krb5.so.1 nowarn
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session sufficient pam_unix_session.so.1
other session sufficient pam_ldap.so.1
other session sufficient pam_krb5.so.1 nowarn
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1

Thanks a million in advance for any insight!

ciao, erich
Kerberos mailing list Kerberos@mit.edu