MIT Kerberos 1.4.1, Solaris 8, & AD SSO

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

MIT Kerberos 1.4.1, Solaris 8, & AD SSO

Haskins, Russell
I am trying to get Single-Sing-On working with the *NIX boxes on our
campus network. The Windows AD is controlled by our outsourced IT group
so we can't drive any requirements on it. I have my Redhat Enterprise
Linux boxes authenticating correctly to the AD domain. However I've hit
the wall with Solaris 8 (we have a mix of Solaris, I started with 8).

I compiled and installed MIT Kerberos 1.4.1 on a new Solaris 8 2/04
system. I configured the /etc/krb5.conf for the AD domain and kinit
returns a ticket (works as root or unprivileged user).

I configured /etc/pam.conf for kerberos:

# PAM configuration
#
# This file is configured to try pam_unix first, then pam_krb5
#
# Authentication management
#
other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
other auth required /usr/lib/security/$ISA/pam_krb5.so.1
use_first_pass
#
# Account management
#
# pam_krb5 has a no-op account module, so we don't bother listing it
here
#
other account requisite /usr/lib/security/$ISA/pam_roles.so.1
other account required /usr/lib/security/$ISA/pam_projects.so.1
other account required /usr/lib/security/$ISA/pam_unix.so.1
#
# Session management
#
# pam_krb5 destroys any credential cache on session close, so it's good
# to have it here.  However, we also need pam_unix to be called, so
don't
# make pam_krb5 "sufficient".
#
other session optional /usr/lib/security/$ISA/pam_krb5.so.1
other session required /usr/lib/security/$ISA/pam_unix.so.1
#
# Password management
#
# You may have to fiddle with this if you have other account databases.
# If you have some centralized user management tool that users use to
# change their password then you may just want to remove the pam_krb5
# here.
#
other password sufficient /usr/lib/security/$ISA/pam_unix.so.1
other password required /usr/lib/security/$ISA/pam_krb5.so.1
use_first_pass
#

I created a Solaris account for the principal (first.last), made sure
there was no shadow file entry for the account, then tried to login
using the principal name and kerberos passwd.

Login incorrect

I added logging to the pam.conf configuration and these are the messages
in /var/adm/messages:

Jun 29 14:44:27 rupfert login: [ID 264565 auth.debug] PAM-KRB5: auth:
pam_sm_authenticate flags = 0
Jun 29 14:44:27 rupfert login: [ID 405806 auth.debug] PAM-KRB5:
attempt_krb5_login: start: user='First.Last', uid=10526
Jun 29 14:44:27 rupfert login: [ID 730853 auth.debug] PAM-KRB5: auth:
krb5_login: tkt_with_pw returns: KRB5 error code 52
Jun 29 14:44:27 rupfert login: [ID 410402 auth.debug] PAM-KRB5:
attempt_krb5_login returning 9
Jun 29 14:44:27 rupfert login: [ID 892699 auth.debug] PAM-KRB5:
pam_sm_auth finalize ccname env, result = 9, env =
'KRB5CCNAME=FILE:/tmp/krb5cc_10526', age = 0, status = 9
Jun 29 14:44:27 rupfert login: [ID 753808 auth.debug] PAM-KRB5: sm_auth:
returning 9
Jun 29 14:44:35 rupfert login: [ID 174864 auth.debug] PAM-KRB5:
krb5_cleanup pam_sm_auth_status(9)

Any ideas would be greatly appreciated.

Russ...

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: MIT Kerberos 1.4.1, Solaris 8, & AD SSO

Wachdorf, Daniel R
Error code 52 is the error returned by AD indicating your UDP packet was
too big, and thus it wants to do TCP.  Windows puts the PAC in the
ticket to provide extra authentication information.

Older versions of Kerberos don't support TCP, and thus don't know what
to do.

-dan

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Haskins, Russell
Sent: Wednesday, June 29, 2005 3:56 PM
To: [hidden email]
Subject: MIT Kerberos 1.4.1, Solaris 8, & AD SSO

I am trying to get Single-Sing-On working with the *NIX boxes on our
campus network. The Windows AD is controlled by our outsourced IT group
so we can't drive any requirements on it. I have my Redhat Enterprise
Linux boxes authenticating correctly to the AD domain. However I've hit
the wall with Solaris 8 (we have a mix of Solaris, I started with 8).

I compiled and installed MIT Kerberos 1.4.1 on a new Solaris 8 2/04
system. I configured the /etc/krb5.conf for the AD domain and kinit
returns a ticket (works as root or unprivileged user).

I configured /etc/pam.conf for kerberos:

# PAM configuration
#
# This file is configured to try pam_unix first, then pam_krb5
#
# Authentication management
#
other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
other auth required /usr/lib/security/$ISA/pam_krb5.so.1
use_first_pass
#
# Account management
#
# pam_krb5 has a no-op account module, so we don't bother listing it
here
#
other account requisite /usr/lib/security/$ISA/pam_roles.so.1
other account required /usr/lib/security/$ISA/pam_projects.so.1
other account required /usr/lib/security/$ISA/pam_unix.so.1
#
# Session management
#
# pam_krb5 destroys any credential cache on session close, so it's good
# to have it here.  However, we also need pam_unix to be called, so
don't
# make pam_krb5 "sufficient".
#
other session optional /usr/lib/security/$ISA/pam_krb5.so.1
other session required /usr/lib/security/$ISA/pam_unix.so.1
#
# Password management
#
# You may have to fiddle with this if you have other account databases.
# If you have some centralized user management tool that users use to
# change their password then you may just want to remove the pam_krb5
# here.
#
other password sufficient /usr/lib/security/$ISA/pam_unix.so.1
other password required /usr/lib/security/$ISA/pam_krb5.so.1
use_first_pass
#

I created a Solaris account for the principal (first.last), made sure
there was no shadow file entry for the account, then tried to login
using the principal name and kerberos passwd.

Login incorrect

I added logging to the pam.conf configuration and these are the messages
in /var/adm/messages:

Jun 29 14:44:27 rupfert login: [ID 264565 auth.debug] PAM-KRB5: auth:
pam_sm_authenticate flags = 0
Jun 29 14:44:27 rupfert login: [ID 405806 auth.debug] PAM-KRB5:
attempt_krb5_login: start: user='First.Last', uid=10526
Jun 29 14:44:27 rupfert login: [ID 730853 auth.debug] PAM-KRB5: auth:
krb5_login: tkt_with_pw returns: KRB5 error code 52
Jun 29 14:44:27 rupfert login: [ID 410402 auth.debug] PAM-KRB5:
attempt_krb5_login returning 9
Jun 29 14:44:27 rupfert login: [ID 892699 auth.debug] PAM-KRB5:
pam_sm_auth finalize ccname env, result = 9, env =
'KRB5CCNAME=FILE:/tmp/krb5cc_10526', age = 0, status = 9
Jun 29 14:44:27 rupfert login: [ID 753808 auth.debug] PAM-KRB5: sm_auth:
returning 9
Jun 29 14:44:35 rupfert login: [ID 174864 auth.debug] PAM-KRB5:
krb5_cleanup pam_sm_auth_status(9)

Any ideas would be greatly appreciated.

Russ...

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos 1.4.1, Solaris 8, & AD SSO

Will Fiveash
In reply to this post by Haskins, Russell
On Wed, Jun 29, 2005 at 02:55:33PM -0700, Haskins, Russell wrote:
> I am trying to get Single-Sing-On working with the *NIX boxes on our
> campus network. The Windows AD is controlled by our outsourced IT group
> so we can't drive any requirements on it. I have my Redhat Enterprise
> Linux boxes authenticating correctly to the AD domain. However I've hit
> the wall with Solaris 8 (we have a mix of Solaris, I started with 8).
>
> I compiled and installed MIT Kerberos 1.4.1 on a new Solaris 8 2/04
> system. I configured the /etc/krb5.conf for the AD domain and kinit
> returns a ticket (works as root or unprivileged user).

But it looks like you are using the native Solaris pam_krb5 which is
linked against the native Solaris 8 krb lib.  S8 krb does not support
TCP which looks like the error (52) that shows up in your syslog
messages.  Your choices are to disable the PAC data on the AD so the AS
does not use TCP for krb messages (which may not be an option given what
you wrote above), update to Solaris 10 which does support TCP for krb,
find a pam_krb5 that is linked against the MIT 1.4.1 krb lib or have a
Solaris support person file an escalation to get krb TCP support
back-ported to S8.

> I configured /etc/pam.conf for kerberos:
>
> # PAM configuration
> #
> # This file is configured to try pam_unix first, then pam_krb5
> #
> # Authentication management
> #
> other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
> other auth required /usr/lib/security/$ISA/pam_krb5.so.1
> use_first_pass
> #
> # Account management
> #
> # pam_krb5 has a no-op account module, so we don't bother listing it
> here
> #
> other account requisite /usr/lib/security/$ISA/pam_roles.so.1
> other account required /usr/lib/security/$ISA/pam_projects.so.1
> other account required /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Session management
> #
> # pam_krb5 destroys any credential cache on session close, so it's good
> # to have it here.  However, we also need pam_unix to be called, so
> don't
> # make pam_krb5 "sufficient".
> #
> other session optional /usr/lib/security/$ISA/pam_krb5.so.1
> other session required /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Password management
> #
> # You may have to fiddle with this if you have other account databases.
> # If you have some centralized user management tool that users use to
> # change their password then you may just want to remove the pam_krb5
> # here.
> #
> other password sufficient /usr/lib/security/$ISA/pam_unix.so.1
> other password required /usr/lib/security/$ISA/pam_krb5.so.1
> use_first_pass
> #
>
> I created a Solaris account for the principal (first.last), made sure
> there was no shadow file entry for the account, then tried to login
> using the principal name and kerberos passwd.
>
> Login incorrect
>
> I added logging to the pam.conf configuration and these are the messages
> in /var/adm/messages:
>
> Jun 29 14:44:27 rupfert login: [ID 264565 auth.debug] PAM-KRB5: auth:
> pam_sm_authenticate flags = 0
> Jun 29 14:44:27 rupfert login: [ID 405806 auth.debug] PAM-KRB5:
> attempt_krb5_login: start: user='First.Last', uid=10526
> Jun 29 14:44:27 rupfert login: [ID 730853 auth.debug] PAM-KRB5: auth:
> krb5_login: tkt_with_pw returns: KRB5 error code 52
> Jun 29 14:44:27 rupfert login: [ID 410402 auth.debug] PAM-KRB5:
> attempt_krb5_login returning 9
> Jun 29 14:44:27 rupfert login: [ID 892699 auth.debug] PAM-KRB5:
> pam_sm_auth finalize ccname env, result = 9, env =
> 'KRB5CCNAME=FILE:/tmp/krb5cc_10526', age = 0, status = 9
> Jun 29 14:44:27 rupfert login: [ID 753808 auth.debug] PAM-KRB5: sm_auth:
> returning 9
> Jun 29 14:44:35 rupfert login: [ID 174864 auth.debug] PAM-KRB5:
> krb5_cleanup pam_sm_auth_status(9)
>
> Any ideas would be greatly appreciated.
>
> Russ...
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos

--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos