SEAM, pam_krb5.so, and failover

From: Heilke, Rainer (Rainer.Heilke@atcoitek.com)
Date: Wed Apr 16 2003 - 12:57:44 EDT

• Next message: Rick Y: "question with remote connection"
• Previous message: Mike's List: "SUMMARY: Attempted hacking???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Sun managers,

Anyone heard of this problem with SEAM's pam_krb5.so.1 under Solaris 8?

pam_krb5.so.1 doesn't seem to query more than 1 KDC before giving up.

We're doing some fail-over testing and we've noticed that when we
shutdown
our primary kdc, pam_krb5.so.1 will not allow users to login. Our linux
boxes work just
fine so we know that the secondary kdc has good data and works.

If we temporarily reverse the order of our kdc lines, we can
authenticate to
our slave kdc just fine under solaris.

Our krb5.conf is:

[libdefaults]
clockskew = 5
ticket_lifetime = 600
default_realm = TEST.CA
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc

[realms]
TEST.CA = {
kdc = kerberos.test.ca:88
kdc = kerberos-1.test.ca:88
admin_server = kerberos.test.ca:749
kpasswd_protocol = SET_CHANGE
default_domain = test.ca
}

[domain_realm]
.test.ca = TEST.CA
test.ca = TEST.CA

[appdefaults]
kinit = {
renewable = false
forwardable= true
}

List steps to reproduce problem (if applicable):
1 shutdown primary KDC (kerberos.test.ca)
2 try to telnet to box and enter password.

authentication fails. When the primary KDC is back online,
authentication
succeeds.

Thanks, and I will post a summary as soon as I can.
(Posted on behalf of) Mike.

Please send replies to mailto:michael,houle@atcoitek.com

Rainer Heilke
Unix Systems Administrator
ATCO I-Tek
Phone: 780-420-7806
Fax: 780-420-3939
Email: rainer.heilke@atcoitek.com

The information transmitted is intended only for the addressee and may
contain confidential, proprietary and/or privileged material. Any
unauthorized review, distribution or other use of or the taking of any
action in reliance upon this information is prohibited. If you receive
this in error, please contact the sender and delete or destroy this
message and any copies.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Rick Y: "question with remote connection"
• Previous message: Mike's List: "SUMMARY: Attempted hacking???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:26:12 EDT