[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Solaris 9 + Heimdal KDC?

On Feb 17, 2005, at 1:28 PM, Adam Morley wrote:

> So I can log in now (quite neat!), and I see a request for krbtgt in  
> the
> kdc's logs, but no ticket in the cache:
> <...ssh password prompt entry...>
> bash-2.05$ klist
> klist: No credentials cache file found while setting cache flags(ticket
> cache /tmp/krb5cc_1001)

Memory is fuzzy, but I think the Solaris pam_krb5 may not keep the tgt  
unless it can verify it against a host/FQDN@REALM principal in  
/etc/krb5/krb5.keytab.  Also applies to the screen lock, which will  
renew the tgt on unlock if it can verify the kdc.

There's a verify-mumble-nofail option that may affect this behavior.   
It's claimed to affect it on Solaris 10 anyway.

man pam_krb5 may tell you something.  It's very informative on Solaris  

> I'm guessing changepw is for Solaris's account management/password
> change policy stuff, as . . .

	kpasswd_protocol = SET_CHANGE

man krb5.conf
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu