Multi Realm Kerberos login

kawhyte · 12-27-2007, 01:22 PM

I am running Solaris 10.
My company has two Kerberos realms.
I can login to the primary realm with a user account.
I can kinit to a differnet user account but can't login.

Ex:

ssh user1@host.domain
bash%
ssh user2@host.domain
Password:
Password:
Password:
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).

/etc/pam.conf

Code:

#
#ident  "@(#)pam.conf   1.28    04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth sufficient         pam_krb5.so.1
login   auth sufficient         pam_unix_auth.so.1
# login auth required           pam_dial_auth.so.1

dtlogin auth requisite          pam_authtok_get.so.1
dtlogin auth required           pam_dhkeys.so.1
dtlogin auth required           pam_unix_cred.so.1
dtlogin auth sufficient         pam_krb5.so.1
dtlogin auth sufficient         pam_unix_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
# rlogin        auth sufficient         pam_rhosts_auth.so.1
# rlogin        auth requisite          pam_authtok_get.so.1
# rlogin        auth required           pam_dhkeys.so.1
# rlogin        auth required           pam_unix_cred.so.1
# rlogin        auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth binding            pam_krb5.so.1
krlogin auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
# rsh   auth sufficient         pam_rhosts_auth.so.1
# rsh   auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth binding            pam_krb5.so.1
krsh    auth required           pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
# ppp   auth requisite          pam_authtok_get.so.1
# ppp   auth required           pam_dhkeys.so.1
# ppp   auth required           pam_unix_cred.so.1
# ppp   auth required           pam_unix_auth.so.1
# ppp   auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_krb5.so.1
other   auth sufficient         pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

/etc/krb5/krb5.conf

Code:

[libdefaults]
    default_realm = REALM1
    default_tgs_enctypes = des-cbc-crc,des-cbc-md5
    default_tkt_enctypes = des-cbc-crc,des-cbc-md5
    forwardable = true
    proxiable = true
    dns_lookup_realm = true
    dns_lookup_kdc = true

[realms]
    REALM1 = {
        kdc = realm1.kdc
        verify_ap_req_nofail = false
    }
    REALM2 = {
        kdc = realm2.kdc
        verify_ap_req_nofail = false
    }

[capaths]
    REALM1 = {
      REALM2 = AD
    }
    REALM2= {
        REALM1 = AD
    }

getent passwd user1
is correct

getent passwd user2
is correct

kinit user2@REAML2
works

Any ideas?

Thanks

kawhyte