Kerberos authentication from Solaris-9 client against Windows-2003 AD server

From: rob.de.langhe@belgacom.be
Date: Tue Jun 14 2005 - 03:36:01 EDT

• Next message: Cooper, Scott: "ufsdump/ufsrestore problem"
• Previous message: hamidi: "Admintool Windows cannot come out on Solaris 8"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

we want to have a common authentication database in this company, so
that accounts and passwords exist only once and can be managed more
streamlined.
The base is considered to be the user-database in Windows Active
Directory 2003, and clients (thus also UNIX servers) should use Kerberos
to authenticate against this AD.

In our test-setup, the AD-administrators have generated keytab files for
2 pilot UNIX servers, one HP and one SUN. They have specified to use NO
ENCRYPTION while generating those keys.

They also created a test-account in their AD, that we can use to try an
authentication on the UNIX servers.

What we managed to get at so far, on both HP and SUN, is the "kinit
testaccount".

But where we get stuck, is somewhere in the PAM configuration, we think
: when trying to login on those UNIX servers (via "login testacconut",
or "ssh", or "telnet", or whatever client), we get the password-prompt,
enter the same pwd as what used for the "kinit" command (so correct
pwd), but then on the UNIX server to which we connect the following
message is displayed on the console (depending on the protocol used) :

Jun 10 19:08:30 ecarsf login: [ID 537602 auth.error] PAM-KRB5 (auth):
krb5_verify_init_creds failed: Bad encryption type

Jun 10 19:14:53 ecarsf sshd[13436]: [ID 537602 auth.error] PAM-KRB5
(auth): krb5_verify_init_creds failed: Bad encryption type

The "/etc/pam.conf" file is as follows :
other auth requisite pam_authtok_get.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_krb5.so.1 use_first_pass
passwd auth required pam_passwd_auth.so.1
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1

After the "kinit testaccount", the command "klist" produces the
following output :

Ticket cache: /tmp/krb5cc_0
Default principal: testaccount@R2-OURDOMAIN.NET
<mailto:testaccount@R2-OURDOMAIN.NET>

Valid starting Expires Service principal
Fri 10 Jun 2005 06:21:45 PM MEST Sat 11 Jun 2005 04:21:45 AM MEST
krbtgt/R2-OURDOMAIN.NET@R2-OURDOMAIN.NET
<mailto:krbtgt/R2-OURDOMAIN.NET@R2-OURDOMAIN.NET>
renew until Fri 17 Jun 2005 06:21:45 PM MEST

I know Kerberos is very little used in the UNIX community, but I am
hoping anyone that someone out there has some experience with it.

Thx a lot for any suggestions,

Rob

**** DISCLAIMER ****
http://www.belgacom.be/maildisclaimer
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Cooper, Scott: "ufsdump/ufsrestore problem"
• Previous message: hamidi: "Admintool Windows cannot come out on Solaris 8"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:30:53 EDT