[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Solaris 9 + Heimdal KDC?



Hi,

(This is a resend --- I didn't see it pop up on the list)

I have a heimdal KDC running on an openbsd box (the heimdal included in the base system), and I'm trying to connect a Solaris 9 system using PAM.  I am using the latest patches from SunSolve even.  I am using Sun's SSH.

I have set up a host keytab for the Solaris machine in the KDC, using only des-cbc-crc, as I couldn't kinit with the keytab unless I was only using that.

But when I try and use the kdc through PAM, things don't work.  I get an error message that Sun's docs say mean I don't have a keytab (wtf?).

So, here is kadmin -l:

kadmin> get *test*
               Principal: host/test.prod.gmi.com@GMI.COM
       Principal expires: never
        Password expires: never
    Last password change: never
         Max ticket life: 1 day
      Max renewable life: 1 week
                    Kvno: 2
                   Mkvno: 0
                  Policy: none
   Last successful login: never
       Last failed login: never
      Failed login count: 0
           Last modified: 2005-02-11 21:17:12 UTC
                Modifier: kadmin/admin@GMI.COM
              Attributes: 
Keytypes(salttype[(salt-value)]): des-cbc-crc(pw-salt)

Here is kinit -k -t /etc/krb5.keytab:

bash-2.05# kinit -k -t /etc/krb5/krb5.keytab 
bash-2.05# klist
Ticket cache: /tmp/krb5cc_0
Default principal: host/test.prod.gmi.com@GMI.COM

Valid starting                       Expires                       Service principal
Fri Feb 11 15:39:09 2005  Sat Feb 12 15:39:09 2005  krbtgt/GMI.COM@GMI.COM
        renew until Fri Feb 18 15:39:09 2005

Here is kinit as a user (su - from root to user):

bash-2.05$ kinit adam
Password for adam@GMI.COM: 
bash-2.05$ klist
Ticket cache: /tmp/krb5cc_1001
Default principal: adam@GMI.COM

Valid starting                       Expires                       Service principal
Fri Feb 11 15:42:26 2005  Sat Feb 12 15:42:26 2005  krbtgt/GMI.COM@GMI.COM
        renew until Fri Feb 18 15:42:26 2005

So then I try to ssh (I have enabled pam_debug with /etc/pam_debug) from a remote host, and I get this in the pam logs:

Feb 11 13:33:59 test sshd[9824]: [ID 931636 auth.debug] PAM[9824]: load_function: successful load of pam_sm_authenticate
Feb 11 13:33:59 test sshd[9824]: [ID 279422 auth.debug] PAM[9824]: pam_get_user(cf990, 61746500, NULL)
Feb 11 13:33:59 test sshd[9824]: [ID 975326 auth.debug] PAM[9824]: pam_set_item(cf990:authtok)
Feb 11 13:33:59 test last message repeated 1 time
Feb 11 13:33:59 test sshd[9824]: [ID 213912 auth.debug] PAM[9824]: pam_authenticate(cf990, 1): error Authentication failed
Feb 11 13:33:59 test last message repeated 1 time
Feb 11 13:33:59 test sshd[9824]: [ID 975326 auth.debug] PAM[9824]: pam_set_item(cf990:authtok)


Feb 11 13:34:04 test sshd[9824]: PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
Feb 11 13:34:04 test sshd[9824]: [ID 975326 auth.debug] PAM[9824]: pam_set_item(cf990:conv)
Feb 11 13:34:04 test sshd[9824]: [ID 218459 auth.debug] PAM[9824]: pam_authenticate(cf990, 1)
Feb 11 13:34:04 test sshd[9824]: [ID 794658 auth.debug] PAM[9824]: load_modules(cf990, pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
Feb 11 13:34:04 test sshd[9824]: [ID 279422 auth.debug] PAM[9824]: pam_get_user(cf990, ff00, NULL)
Feb 11 13:34:04 test sshd[9824]: [ID 975326 auth.debug] PAM[9824]: pam_set_item(cf990:authtok)
Feb 11 13:34:04 test last message repeated 1 time
Feb 11 13:34:04 test sshd[9824]: [ID 213912 auth.debug] PAM[9824]: pam_authenticate(cf990, 1): error Authentication failed
Feb 11 13:34:04 test sshd[9824]: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
Feb 11 13:34:04 test sshd[9824]: [ID 213912 auth.debug] PAM[9824]: pam_authenticate(cf990, 1): error Authentication failed
Feb 11 13:34:04 test sshd[9824]: [ID 975326 auth.debug] PAM[9824]: pam_set_item(cf990:authtok)
Feb 11 13:34:04 test sshd[9824]: [ID 800047 auth.info] Failed password for adam from 10.1.1.110 port 36008 ssh2
Feb 11 13:34:06 test sshd[9824]: [ID 800047 auth.info] Connection closed by 10.1.1.110
Feb 11 13:34:06 test sshd[9824]: [ID 938422 auth.debug] PAM[9824]: pam_end(cf990): status = Success

the line, "PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found" is the one in Sun's docs that claims I don't have a keytab.

The space I put in the log is me hitting enter on that terminal when I see the password prompt, but before I enter the password and hit enter.

Here is what I see on the KDC:

2005-02-11 15:46:10.861750500 2005-02-11T15:46:10 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for krbtgt/GMI.COM@GMI.COM
2005-02-11 15:46:10.862490500 2005-02-11T15:46:10 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for krbtgt/GMI.COM@GMI.COM
2005-02-11 15:46:10.862492500 2005-02-11T15:46:10 Using des-cbc-md5/des-cbc-md5
2005-02-11 15:46:10.862494500 2005-02-11T15:46:10 Using des-cbc-md5/des-cbc-md5
2005-02-11 15:46:10.862495500 2005-02-11T15:46:10 Requested flags: renewable, forwardable
2005-02-11 15:46:10.862496500 2005-02-11T15:46:10 Requested flags: renewable, forwardable
2005-02-11 15:46:10.862498500 2005-02-11T15:46:10 sending 548 bytes to IPv4:10.1.1.125
2005-02-11 15:46:10.862508500 2005-02-11T15:46:10 sending 548 bytes to IPv4:10.1.1.125

Now I notice that des-cbc-md5 is listed there.  I'm kind of wondering what is up with that, but I see the same logs (below) when I kinit as a user:

2005-02-11 15:48:03.285116500 2005-02-11T15:48:03 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for krbtgt/GMI.COM@GMI.COM
2005-02-11 15:48:03.285855500 2005-02-11T15:48:03 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for krbtgt/GMI.COM@GMI.COM
2005-02-11 15:48:03.285857500 2005-02-11T15:48:03 Using des-cbc-md5/des-cbc-md5
2005-02-11 15:48:03.285859500 2005-02-11T15:48:03 Using des-cbc-md5/des-cbc-md5
2005-02-11 15:48:03.285860500 2005-02-11T15:48:03 Requested flags: renewable, forwardable
2005-02-11 15:48:03.285862500 2005-02-11T15:48:03 Requested flags: renewable, forwardable
2005-02-11 15:48:03.285863500 2005-02-11T15:48:03 sending 548 bytes to IPv4:10.1.1.125
2005-02-11 15:48:03.285872500 2005-02-11T15:48:03 sending 548 bytes to IPv4:10.1.1.125

So it doesn't seem too "off."  The clocks are synced.

Here is /etc/pam.conf (I grep -v "^#" /etc/pam.conf for brevity):

bash-2.05# grep -v "^#" /etc/pam.conf
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_auth.so.1
rsh     auth required           pam_unix_auth.so.1
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_krb5.so.1 use_first_pass
passwd  auth required           pam_passwd_auth.so.1
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
other   account optional        pam_krb5.so.1
other   session optional        pam_krb5.so.1
other   session required        pam_unix_session.so.1
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1


So. . .I am no PAM wizard (I've tried simply uncommenting Sun's krb5 lines, and copying the pam.conf from http://www.ofb.net/~jheiss/krbldap/files/pam.conf-9), but where should I look to fix this problem?  Or is it that Sun's SSH/PAM just doesn't work too great with Heimdal?

Oh, and here is /etc/krb5/krb5.conf:

bash-2.05# grep -v "^#" /etc/krb5/krb5.conf 

[libdefaults]
        default_realm = GMI.COM

[realms]
        GMI.COM = {
                kdc = krb0.prod.gmi.com
                #kdc = krb1.prod.gmi.com
                admin_server = krb0.prod.gmi.com
        }

[domain_realm]
        .gmi.com = GMI.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {


                period = 1d


                versions = 10
        }

[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }

Any ideas?  Thanks a bunch!

-- 
adam