LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > Solaris / OpenSolaris
User Name
Password
Solaris / OpenSolaris This forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome.

Notices


Reply
  Search this Thread
Old 12-27-2007, 01:22 PM   #1
kawhyte
LQ Newbie
 
Registered: Nov 2007
Posts: 7

Rep: Reputation: 0
Multi Realm Kerberos login


I am running Solaris 10.
My company has two Kerberos realms.
I can login to the primary realm with a user account.
I can kinit to a differnet user account but can't login.

Ex:

ssh user1@host.domain
bash%
ssh user2@host.domain
Password:
Password:
Password:
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).

/etc/pam.conf
Code:
#
#ident  "@(#)pam.conf   1.28    04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth sufficient         pam_krb5.so.1
login   auth sufficient         pam_unix_auth.so.1
# login auth required           pam_dial_auth.so.1

dtlogin auth requisite          pam_authtok_get.so.1
dtlogin auth required           pam_dhkeys.so.1
dtlogin auth required           pam_unix_cred.so.1
dtlogin auth sufficient         pam_krb5.so.1
dtlogin auth sufficient         pam_unix_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
# rlogin        auth sufficient         pam_rhosts_auth.so.1
# rlogin        auth requisite          pam_authtok_get.so.1
# rlogin        auth required           pam_dhkeys.so.1
# rlogin        auth required           pam_unix_cred.so.1
# rlogin        auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth binding            pam_krb5.so.1
krlogin auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
# rsh   auth sufficient         pam_rhosts_auth.so.1
# rsh   auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth binding            pam_krb5.so.1
krsh    auth required           pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
# ppp   auth requisite          pam_authtok_get.so.1
# ppp   auth required           pam_dhkeys.so.1
# ppp   auth required           pam_unix_cred.so.1
# ppp   auth required           pam_unix_auth.so.1
# ppp   auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_krb5.so.1
other   auth sufficient         pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
/etc/krb5/krb5.conf
Code:
[libdefaults]
    default_realm = REALM1
    default_tgs_enctypes = des-cbc-crc,des-cbc-md5
    default_tkt_enctypes = des-cbc-crc,des-cbc-md5
    forwardable = true
    proxiable = true
    dns_lookup_realm = true
    dns_lookup_kdc = true

[realms]
    REALM1 = {
        kdc = realm1.kdc
        verify_ap_req_nofail = false
    }
    REALM2 = {
        kdc = realm2.kdc
        verify_ap_req_nofail = false
    }

[capaths]
    REALM1 = {
      REALM2 = AD
    }
    REALM2= {
        REALM1 = AD
    }

getent passwd user1
is correct

getent passwd user2
is correct

kinit user2@REAML2
works

Any ideas?

Thanks

kawhyte
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
using kerberos for login authentication narendra.pant Red Hat 0 09-11-2007 03:31 PM
Howto Kerberos+PAM login? licht Linux - Security 0 07-24-2007 05:29 PM
kerberos/ldap login -> samba problems mesepher Linux - Software 6 02-28-2006 08:33 AM
Single Login with LDAP and Kerberos edgood1 Linux - Software 0 02-27-2006 06:01 PM
Kerberos NIS Domain/realm confusion PDock Linux - Networking 0 11-28-2005 07:13 AM

LinuxQuestions.org > Forums > Other *NIX Forums > Solaris / OpenSolaris

All times are GMT -5. The time now is 04:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration