[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
credential file creation on solaris at login fails
Hi all,
I'm quite new to Kerberos, I've been given the task of investigating LDAP
and Kerberos migration from a legacy NIS installation.
I'm working on Solaris 9 systems. I have Heimdal running on one machine
and I'm trying to authenticate a local user (in /etc/passwd) using
kerberos.
At the console of this box, I can indeed login. If I change the password
for this user using kadmin on the KDC, the password required to login
changes accordingly! It's looking good so far, but..
When I login using the console, the credential cache is not created in
/tmp
$ set |grep KRB5
KRB5CCNAME=FILE:/tmp/krb5cc_101
This shows that the pam_krb5.so.1 has done something.. Enabling "debug"
for that pam module reveals:
-----
login: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
login: [ID 549540 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user='testuser'
login: [ID 704353 auth.debug] PAM-KRB5 (auth): Forwardable tickets requested
login: [ID 912857 auth.debug] PAM-KRB5 (auth): Renewable tickets requested
login: [ID 179272 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: SUCCESS
login: [ID 833335 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 0
login: [ID 914654 auth.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =0, env ='KRB5CCNAME=FILE:/tmp/krb5cc_101', age = 0, status = 0
login: [ID 525286 auth.debug] PAM-KRB5 (auth): end: Success
login: [ID 699746 auth.debug] PAM-KRB5 (acct): debug=1, nowarn=0
login: [ID 531709 auth.debug] PAM-KRB5 (acct): no module data for KRB5_AUTOMIGRATE_DATA
login: [ID 712548 auth.debug] PAM-KRB5 (acct): exp_warn start: user = 'testuser'
login: [ID 734734 auth.debug] PAM-KRB5 (acct): fetch_princ_entry: non-RPCSEC_GSS chpw server, can't get princ entry
login: [ID 615945 auth.debug] PAM-KRB5 (acct): exp_warn: fetch_pr failed 4
login: [ID 748222 auth.debug] PAM-KRB5 (acct): exp_warn end: err = 4
login: [ID 712902 auth.debug] PAM-KRB5 (acct): end: Success
login: [ID 490997 auth.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 0
-----
in /var/adm/messages on the client
and
-----
AS-REQ testuser@TEST.NEWSINT from IPv4:143.252.84.29 for krbtgt/TEST.NEWSINT@TEST.NEWSINT
TGS-REQ testuser@TEST.NEWSINT from IPv4:143.252.84.29 for host/jumper.test.newsint@TEST.NEWSINT [renewable, forwardable]
AS-REQ testuser@TEST.NEWSINT from IPv4:143.252.84.29 for kadmin/changepw@TEST.NEWSINT
No PA-ENC-TIMESTAMP -- testuser@TEST.NEWSINT
AS-REQ testuser@TEST.NEWSINT from IPv4:143.252.84.29 for kadmin/changepw@TEST.NEWSINT
-----
in /var/heimdal/kdc.log on the KDC
If I run kinit as this user, I see:
-----
$ kinit
Password for testuser@TEST.NEWSINT:
$ klist
Ticket cache: /tmp/krb5cc_101
Default principal: testuser@TEST.NEWSINT
Valid starting Expires Service principal
Mon 17 Jan 2005 03:08:37 AM GMT Tue 18 Jan 2005 03:08:37 AM GMT
krbtgt/TEST.NEWSINT@TEST.NEWSINT
renew until Mon 24 Jan 2005 03:08:37 AM GMT
-----
It seems I can collect a ticket manually, but the pam_krb5.so module
doesn't seem to store one in /tmp
Is this a known problem with solaris' pam_krb5? I'm hoping this can be
solved with configuration since I'm limited as to what software I can
install and replacing pam_krb5.so is unlikely to be a suitable solution.
I've seen pointers to various other commands, kinit -k for example:
On my client machine this reports:
-----
# kinit -k
kinit: Bad encryption type while getting initial credentials
-----
I'm wondering if anyone knows of something that might need tuning?
Cheers
Chris