[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

credential file creation on solaris at login fails

 Hi all,

I'm quite new to Kerberos, I've been given the task of investigating LDAP
and Kerberos migration from a legacy NIS installation.

I'm working on Solaris 9 systems. I have Heimdal running on one machine
and I'm trying to authenticate a local user (in /etc/passwd) using

At the console of this box, I can indeed login. If I change the password
for this user using kadmin on the KDC, the password required to login
changes accordingly! It's looking good so far, but..

When I login using the console, the credential cache is not created in

$ set |grep KRB5

This shows that the pam_krb5.so.1 has done something.. Enabling "debug"
for that pam module reveals:
 login: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
 login: [ID 549540 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user='testuser'
 login: [ID 704353 auth.debug] PAM-KRB5 (auth): Forwardable tickets requested
 login: [ID 912857 auth.debug] PAM-KRB5 (auth): Renewable tickets requested
 login: [ID 179272 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: SUCCESS
 login: [ID 833335 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 0
 login: [ID 914654 auth.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =0, env ='KRB5CCNAME=FILE:/tmp/krb5cc_101', age = 0, status = 0
 login: [ID 525286 auth.debug] PAM-KRB5 (auth): end: Success
 login: [ID 699746 auth.debug] PAM-KRB5 (acct): debug=1, nowarn=0
 login: [ID 531709 auth.debug] PAM-KRB5 (acct): no module data for KRB5_AUTOMIGRATE_DATA
 login: [ID 712548 auth.debug] PAM-KRB5 (acct): exp_warn start: user = 'testuser'
 login: [ID 734734 auth.debug] PAM-KRB5 (acct): fetch_princ_entry: non-RPCSEC_GSS chpw server, can't get princ entry
 login: [ID 615945 auth.debug] PAM-KRB5 (acct): exp_warn: fetch_pr failed 4
 login: [ID 748222 auth.debug] PAM-KRB5 (acct): exp_warn end: err = 4
 login: [ID 712902 auth.debug] PAM-KRB5 (acct): end: Success
 login: [ID 490997 auth.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 0
in /var/adm/messages on the client

TGS-REQ testuser@TEST.NEWSINT from IPv4: for host/jumper.test.newsint@TEST.NEWSINT [renewable, forwardable]
AS-REQ testuser@TEST.NEWSINT from IPv4: for kadmin/changepw@TEST.NEWSINT
AS-REQ testuser@TEST.NEWSINT from IPv4: for kadmin/changepw@TEST.NEWSINT
in /var/heimdal/kdc.log on the KDC

If I run kinit as this user, I see:
$ kinit
Password for testuser@TEST.NEWSINT:
$ klist
Ticket cache: /tmp/krb5cc_101
Default principal: testuser@TEST.NEWSINT

Valid starting                              Expires  Service principal
Mon 17 Jan 2005 03:08:37 AM GMT  Tue 18 Jan 2005 03:08:37 AM GMT
        renew until Mon 24 Jan 2005 03:08:37 AM GMT

It seems I can collect a ticket manually, but the pam_krb5.so module
doesn't seem to store one in /tmp

Is this a known problem with solaris' pam_krb5? I'm hoping this can be
solved with configuration since I'm limited as to what software I can
install and replacing pam_krb5.so is unlikely to be a suitable solution.

I've seen pointers to various other commands, kinit -k for example:

On my client machine this reports:

# kinit -k
kinit: Bad encryption type while getting initial credentials

I'm wondering if anyone knows of something that might need tuning?