Solaris 9 Pam problem

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Solaris 9 Pam problem

Wachdorf, Daniel R
I am trying to setup pam (with su for starters) on a solaris 9 system.  Its
up to date with all the recommended patches.

I have a valid krb5.conf file in /etc/ and sym-linked to
/etc/krb5/krb5.conf.  It has the following in libdefaults:

default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc

I created a keytab and symlinked it to /etc/krb5/krb5.keytab.

# klist -e -k /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 host/[hidden email]
<mailto:host/[hidden email]>  (DES-CBC-CRC)
   2 host/[hidden email]
<mailto:host/[hidden email]>  (DES-CBC-MD5)

I have my /etc/hosts file with (IP address X to protect the innocent):

# cat /etc/hosts
#
# Internet host table
#
127.0.0.1       localhost
134.253.X.X  vmtest2c.sandia.gov vmtest2c    loghost

I added the following to my pam.conf:

su   auth sufficient         pam_krb5.so.1
su   account sufficient      pam_krb5.so.1

When I go to su as a Kerberos account I get:

bash-2.05$ su drwachdz
Enter Kerberos password for drwachdz:
authentication failed:  Bad encryption type

The log files show:

Jun 29 16:35:06 vmtest2c su: [ID 537602 auth.error] PAM-KRB5 (auth):
krb5_verify_init_creds failed: Bad encryption type

Any ideas?

-dan


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Solaris 9 Pam problem

scanell
If you are using the /usr/lib/security/pam_krb5.so.1 module, then you
have to place a copy or a link of the krb5.conf into the /etc/krb5
directory.... that is where solaris 9 pam module looks for the krb5.conf
file!

Steve

Daniel Wachdorf wrote:

>I am trying to setup pam (with su for starters) on a solaris 9 system.  Its
>up to date with all the recommended patches.
>
>I have a valid krb5.conf file in /etc/ and sym-linked to
>/etc/krb5/krb5.conf.  It has the following in libdefaults:
>
>default_tkt_enctypes = des-cbc-crc
>default_tgs_enctypes = des-cbc-crc
>
>I created a keytab and symlinked it to /etc/krb5/krb5.keytab.
>
># klist -e -k /etc/krb5/krb5.keytab
>Keytab name: FILE:/etc/krb5/krb5.keytab
>KVNO Principal
>----
>--------------------------------------------------------------------------
>   2 host/[hidden email]
><mailto:host/[hidden email]>  (DES-CBC-CRC)
>   2 host/[hidden email]
><mailto:host/[hidden email]>  (DES-CBC-MD5)
>
>I have my /etc/hosts file with (IP address X to protect the innocent):
>
># cat /etc/hosts
>#
># Internet host table
>#
>127.0.0.1       localhost
>134.253.X.X  vmtest2c.sandia.gov vmtest2c    loghost
>
>I added the following to my pam.conf:
>
>su   auth sufficient         pam_krb5.so.1
>su   account sufficient      pam_krb5.so.1
>
>When I go to su as a Kerberos account I get:
>
>bash-2.05$ su drwachdz
>Enter Kerberos password for drwachdz:
>authentication failed:  Bad encryption type
>
>The log files show:
>
>Jun 29 16:35:06 vmtest2c su: [ID 537602 auth.error] PAM-KRB5 (auth):
>krb5_verify_init_creds failed: Bad encryption type
>
>Any ideas?
>
>-dan
>
>
>________________________________________________
>Kerberos mailing list           [hidden email]
>https://mailman.mit.edu/mailman/listinfo/kerberos
>
>  
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Solaris 9 Pam problem

scanell
In reply to this post by Wachdorf, Daniel R
Sorry, missed your reference to /etc/krb5/krb5.keytab

I can't tell from you email if you are using SEAM or MIT Kerberos.... but this I know holds true for the MIT Kerberos 1.4...

Get a copy of the keytab file from the master and place it accordingly...
MIT Kerberos 1.4 is /usr/local/var/krb5kdc/<name>.keytab

For SEAM, I believe it goes into the /etc/krb5 directory... do not recall for sure.

Since authentication is local with su, you need the key to decrypt the password which is in the keytab file.

Check you master server logs and see if it is giving you a failure to decrypt... that would be a good indication that the local host cannot checksum the tickets because the key is on the master where the password ticket was create... now you need that key to decrypt on the client side.

Someone will probably say I am all wet, but this is what I had to do for ssh between Solaris 9 boxes using pam_krb5.so.1....
Once I place a copy of the master keytab file on the SUN server, I was then able to authenticate using Kerberos.

Steve
Daniel Wachdorf wrote:

>I am trying to setup pam (with su for starters) on a solaris 9 system.  Its
>up to date with all the recommended patches.
>
>I have a valid krb5.conf file in /etc/ and sym-linked to
>/etc/krb5/krb5.conf.  It has the following in libdefaults:
>
>default_tkt_enctypes = des-cbc-crc
>default_tgs_enctypes = des-cbc-crc
>
>I created a keytab and symlinked it to /etc/krb5/krb5.keytab.
>
># klist -e -k /etc/krb5/krb5.keytab
>Keytab name: FILE:/etc/krb5/krb5.keytab
>KVNO Principal
>----
>--------------------------------------------------------------------------
>   2 host/[hidden email]
><mailto:host/[hidden email]>  (DES-CBC-CRC)
>   2 host/[hidden email]
><mailto:host/[hidden email]>  (DES-CBC-MD5)
>
>I have my /etc/hosts file with (IP address X to protect the innocent):
>
># cat /etc/hosts
>#
># Internet host table
>#
>127.0.0.1       localhost
>134.253.X.X  vmtest2c.sandia.gov vmtest2c    loghost
>
>I added the following to my pam.conf:
>
>su   auth sufficient         pam_krb5.so.1
>su   account sufficient      pam_krb5.so.1
>
>When I go to su as a Kerberos account I get:
>
>bash-2.05$ su drwachdz
>Enter Kerberos password for drwachdz:
>authentication failed:  Bad encryption type
>
>The log files show:
>
>Jun 29 16:35:06 vmtest2c su: [ID 537602 auth.error] PAM-KRB5 (auth):
>krb5_verify_init_creds failed: Bad encryption type
>
>Any ideas?
>
>-dan
>
>
>________________________________________________
>Kerberos mailing list           [hidden email]
>https://mailman.mit.edu/mailman/listinfo/kerberos
>
>  
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Solaris 9 Pam problem

Wachdorf, Daniel R
In reply to this post by Wachdorf, Daniel R
I symlinked /etc/v5srvtab to /etc/krb5/krb5.keytab - which is what seam
is looking for.

I looked at the server logs - it's issuing a ticket fine.  I even
sniffed the traffic, the as request goes through fine.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of scanell
Sent: Thursday, June 30, 2005 3:58 PM
To: Kerberos list
Subject: Re: Solaris 9 Pam problem

Sorry, missed your reference to /etc/krb5/krb5.keytab

I can't tell from you email if you are using SEAM or MIT Kerberos....
but this I know holds true for the MIT Kerberos 1.4...

Get a copy of the keytab file from the master and place it
accordingly...
MIT Kerberos 1.4 is /usr/local/var/krb5kdc/<name>.keytab

For SEAM, I believe it goes into the /etc/krb5 directory... do not
recall for sure.

Since authentication is local with su, you need the key to decrypt the
password which is in the keytab file.

Check you master server logs and see if it is giving you a failure to
decrypt... that would be a good indication that the local host cannot
checksum the tickets because the key is on the master where the password
ticket was create... now you need that key to decrypt on the client
side.

Someone will probably say I am all wet, but this is what I had to do for
ssh between Solaris 9 boxes using pam_krb5.so.1....
Once I place a copy of the master keytab file on the SUN server, I was
then able to authenticate using Kerberos.

Steve
Daniel Wachdorf wrote:

>I am trying to setup pam (with su for starters) on a solaris 9 system.
Its

>up to date with all the recommended patches.
>
>I have a valid krb5.conf file in /etc/ and sym-linked to
>/etc/krb5/krb5.conf.  It has the following in libdefaults:
>
>default_tkt_enctypes = des-cbc-crc
>default_tgs_enctypes = des-cbc-crc
>
>I created a keytab and symlinked it to /etc/krb5/krb5.keytab.
>
># klist -e -k /etc/krb5/krb5.keytab
>Keytab name: FILE:/etc/krb5/krb5.keytab
>KVNO Principal
>----
>-----------------------------------------------------------------------
---

>   2 host/[hidden email]
><mailto:host/[hidden email]>  (DES-CBC-CRC)
>   2 host/[hidden email]
><mailto:host/[hidden email]>  (DES-CBC-MD5)
>
>I have my /etc/hosts file with (IP address X to protect the innocent):
>
># cat /etc/hosts
>#
># Internet host table
>#
>127.0.0.1       localhost
>134.253.X.X  vmtest2c.sandia.gov vmtest2c    loghost
>
>I added the following to my pam.conf:
>
>su   auth sufficient         pam_krb5.so.1
>su   account sufficient      pam_krb5.so.1
>
>When I go to su as a Kerberos account I get:
>
>bash-2.05$ su drwachdz
>Enter Kerberos password for drwachdz:
>authentication failed:  Bad encryption type
>
>The log files show:
>
>Jun 29 16:35:06 vmtest2c su: [ID 537602 auth.error] PAM-KRB5 (auth):
>krb5_verify_init_creds failed: Bad encryption type
>
>Any ideas?
>
>-dan
>
>
>________________________________________________
>Kerberos mailing list           [hidden email]
>https://mailman.mit.edu/mailman/listinfo/kerberos
>
>  
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos