LDAP+Kerberos in Solaris 8

rmanin_at_ime.unicamp.br
Date: 05/31/04

  • Next message: Rohit Kumar: "Help" 
    Date: Mon, 31 May 2004 12:43:50 -0300 (BRT)
To: <sunmanagers@sunmanagers.org>

    Hi!

    I'm setting up a LDAP+Kerberos environment, with:
    - LDAP server: OpenLDAP 2.1.22
    - KDC: MIT Kerberos 1.3.1
    - LDAP & Kerberos clients: default from Solaris 8 distribution

    I installed all Public patches recommended by PatchPro expert (including
    108993-33).

    Problem is:

    When I try to log in with a user which exists at local passwd/shadow file,
    it authenticates ok at my kerberos server and all works fine.

    But, when I try to log in with a user from LDAP, it gets the kerberos
    ticket, but reports a "user not found" error - and I can not log in. My
    pam_debug file logs:

    ----------
    May 31 12:32:05 navarone login: [ID 123153 auth.debug] PAM[1384]:
    pam_set_item(291d0:user)
    May 31 12:32:08 navarone login: [ID 123153 auth.debug] PAM[1384]:
    pam_set_item(291d0:authtok)
    May 31 12:32:08 navarone last message repeated 1 time
    May 31 12:32:08 navarone login: [ID 215406 auth.debug] PAM[1384]:
    pam_authenticate(291d0, 0): error No account present for user
    May 31 12:32:08 navarone login: [ID 896952 auth.debug] pam_unix_auth:
    entering pam_sm_authenticate()
    May 31 12:32:08 navarone login: [ID 219349 auth.debug] pam_unix_auth: user
    rmanin not found
    May 31 12:32:08 navarone login: [ID 215406 auth.debug] PAM[1384]:
    pam_authenticate(291d0, 0): error No account present for user
    May 31 12:32:08 navarone login: [ID 341892 auth.debug] PAM[1384]:
    pam_putenv(291d0, KRB5CCNAME=FILE:/tmp/krb5cc_60014)
    May 31 12:32:08 navarone login: [ID 123153 auth.debug] PAM[1384]:
    pam_set_item(291d0:authtok)
    May 31 12:32:12 navarone login: [ID 123153 auth.debug] PAM[1384]:
    pam_set_item(291d0:user)
    May 31 12:32:12 navarone login: [ID 123153 auth.debug] PAM[1384]:
    pam_set_item(291d0:ruser)
    ----------

    But 'finger', 'id', 'listusers' - all of them gets users from LDAP maps
    with no problems:

    ----------
    Rodolfo@navarone:[/etc]# finger rmanin
    Login name: rmanin In real life: Rodolfo Broco Manin
    Directory: /home/adm/inf/rmanin Shell: /bin/csh
    Never logged in.
    No unread mail
    No Plan.
    Rodolfo@navarone:[/etc]#
    ----------

    What is wrong?

    My pam.conf file is:

    ----------
    # PAM configuration
    #
    # Authentication management
    #
    other auth requisite pam_authtok_get.so.1
    other auth required pam_dhkeys.so.1
    other auth sufficient pam_unix_auth.so.1 debug
    #
    # Account management
    #
    other account requisite pam_roles.so.1
    other account required pam_projects.so.1
    other account sufficient pam_unix_account.so.1
    other account sufficient pam_ldap.so.1
    #
    # Session management
    #
    other session sufficient pam_unix_session.so.1
    other session sufficient pam_ldap.so.1
    #
    # Password management
    #
    other password required pam_dhkeys.so.1
    other password requisite pam_authtok_get.so.1
    other password requisite pam_authtok_check.so.1
    other password required pam_authtok_store.so.1
    #
    # Support for Kerberos V5 authentication (uncomment to use Kerberos)
    #
    other auth sufficient pam_krb5.so.1 try_first_pass
    other account sufficient pam_krb5.so.1
    other session sufficient pam_krb5.so.1
    other password optional pam_krb5.so.1 try_first_pass
    ----------

    My /etc/nsswitch.conf:

    ----------
    passwd: files ldap
    group: files ldap
    hosts: files dns
    ipnodes: files
    networks: files
    protocols: files
    rpc: files
    ethers: files
    netmasks: files
    bootparams: files
    publickey: files
    netgroup: files
    automount: files ldap
    aliases: files
    services: files
    sendmailvars: files
    printers: user files
    auth_attr: files
    prof_attr: files
    project: files
    ----------

    My krb5.conf:

    ----------
    [libdefaults]
            ticket_lifetime = 8h 0m 0s
            default_realm = IME.UNICAMP.BR
            default_tgs_enctypes = des-cbc-crc

    [realms]
            IME.UNICAMP.BR = {
                    kdc = kerberos.ime.unicamp.br
                    admin_server = kerberos.ime.unicamp.br
                    default_domain = ime.unicamp.br
            }

    [domain_realm]
            .ime.unicamp.br = IME.UNICAMP.BR
            ime.unicamp.br = IME.UNICAMP.BR

    [logging]
            default = FILE:/var/krb5/kdc.log
            kdc = FILE:/var/krb5/kdc.log
            kdc_rotate = {
                    period = 1d
                    versions = 10
            }

    [appdefaults]
            kinit = {
                    renewable = true
                    forwardable= true
            }
    ---------

    And my ldap_client_file looks like...

    ---------
    #
    # Do not edit this file manually; your changes will be lost.Please use
    ldapclient (1M) instead.
    #
    NS_LDAP_FILE_VERSION= 1.0
    NS_LDAP_SERVERS= 143.106.77.100:389
    NS_LDAP_SEARCH_BASEDN= dc=ime,dc=unicamp,dc=br
    NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE
    NS_LDAP_SEARCH_REF= NS_LDAP_FOLLOWREF
    NS_LDAP_DOMAIN= ime.unicamp.br
    NS_LDAP_SEARCH_DN= passwd:(ou=People,dc=ime,dc=unicamp,dc=br)
    NS_LDAP_SEARCH_DN= shadow:(ou=People,dc=ime,dc=unicamp,dc=br)
    NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE
    NS_LDAP_SEARCH_TIME= 30
    NS_LDAP_CACHETTL= 3600
    ---------

    Tnks in advice!!

    []s!
    Rodolfo
    _______________________________________________
    sunmanagers mailing list
    sunmanagers@sunmanagers.org
    http://www.sunmanagers.org/mailman/listinfo/sunmanagers

  • Next message: Rohit Kumar: "Help"

    Relevant Pages

    • Re: Solaris 8 Kerberos / Ldap Client Setup
      ... I am trying to setup a Solaris 8 client to talk to Kerberos / Ldap instead of using NIS ... # pam_krb5 has a no-op account module, so we don't bother listing it here # ... successful load of pam_sm_authenticate ...
      (comp.protocols.kerberos)
    • Solaris 8 Kerberos / Ldap Client Setup
      ... I am trying to setup a Solaris 8 client to talk to Kerberos / Ldap instead ... # Authentication management ... # pam_krb5 has a no-op account module, so we don't bother listing it here ... this message to the named addressee, please notify us immediately and delete ...
      (SunManagers)
    • pam.conf problem
      ... as well as for the LDAP password, it should only ask once I think, the ... passwd: System error: no ldap password for testuser. ... # Default definitions for Authentication management ... # Used when service name is not explicitly mentioned for account ...
      (comp.unix.solaris)
    • Openldap Server and Solaris 10 client
      ... I'm running an openldap server on Red Hat and I'm trying to configure a V240 server running Solaris 10 as a client with the native Solaris LDAP librairies. ... # rlogin service (explicit because of pam_rhost_auth) ... # Default definitions for Authentication management ... cron account required pam_unix_account.so.1 ...
      (comp.unix.solaris)
    • Re: Authenticating LDAP connection with current windows users credentials?
      ... setup and theory behind an ldap ... The Kerberos only works with ADS right now but that is sufficient for your situation. ... when the user has logged in interactively and therefore has a valid Kerberos ticket cached in Windows logon credential cache. ... CallbackHandler callbackHandler = new KerbCallback; ...
      (comp.lang.java.programmer)