Found why : the "keytab" file generated for this SUN client, was generated NOT using 1 of the 3 supported encryption types: des_cdc_crc, des_cdc_md5, or des_cdc_raw I asked the AD/KDC admins to regenerate the keytab file with des_cdc_md5, and auth went fine. thx for subtle informing me that you guys are out of the office taking holidays and that I am still working here! Rob -----Original Message----- From: sunmanagers-bounces@sunmanagers.org [mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of rob.de.langhe@belgacom.be Sent: 14 June 2005 09:36 To: sunmanagers@sunmanagers.org Subject: Kerberos authentication from Solaris-9 client against Windows-2003 AD server Hi, we want to have a common authentication database in this company, so that accounts and passwords exist only once and can be managed more streamlined. The base is considered to be the user-database in Windows Active Directory 2003, and clients (thus also UNIX servers) should use Kerberos to authenticate against this AD. In our test-setup, the AD-administrators have generated keytab files for 2 pilot UNIX servers, one HP and one SUN. They have specified to use NO ENCRYPTION while generating those keys. They also created a test-account in their AD, that we can use to try an authentication on the UNIX servers. What we managed to get at so far, on both HP and SUN, is the "kinit testaccount". But where we get stuck, is somewhere in the PAM configuration, we think : when trying to login on those UNIX servers (via "login testacconut", or "ssh", or "telnet", or whatever client), we get the password-prompt, enter the same pwd as what used for the "kinit" command (so correct pwd), but then on the UNIX server to which we connect the following message is displayed on the console (depending on the protocol used) : Jun 10 19:08:30 ecarsf login: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: Bad encryption type Jun 10 19:14:53 ecarsf sshd[13436]: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: Bad encryption type The "/etc/pam.conf" file is as follows : other auth requisite pam_authtok_get.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_krb5.so.1 use_first_pass passwd auth required pam_passwd_auth.so.1 cron account required pam_projects.so.1 cron account required pam_unix_account.so.1 other account requisite pam_roles.so.1 other account required pam_projects.so.1 other account required pam_unix_account.so.1 other session required pam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 After the "kinit testaccount", the command "klist" produces the following output : Ticket cache: /tmp/krb5cc_0 Default principal: testaccount@R2-OURDOMAIN.NET <mailto:testaccount@R2-OURDOMAIN.NET> Valid starting Expires Service principal Fri 10 Jun 2005 06:21:45 PM MEST Sat 11 Jun 2005 04:21:45 AM MEST krbtgt/R2-OURDOMAIN.NET@R2-OURDOMAIN.NET <mailto:krbtgt/R2-OURDOMAIN.NET@R2-OURDOMAIN.NET> renew until Fri 17 Jun 2005 06:21:45 PM MEST I know Kerberos is very little used in the UNIX community, but I am hoping anyone that someone out there has some experience with it. Thx a lot for any suggestions, Rob **** DISCLAIMER **** http://www.belgacom.be/maildisclaimer _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers **** DISCLAIMER **** http://www.belgacom.be/maildisclaimer _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Tue Jun 14 09:31:27 2005
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:48 EST