[14743] in Kerberos
Re: Solaris 8 /etc/pam.conf and Mit Kerberos
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Thu Jul 26 09:15:58 2001
Date: Thu, 26 Jul 2001 09:10:36 -0400
From: Nicolas Williams <Nicolas.Williams@ubsw.com>
To: Matthew Glogowski <matthewg@world.std.com>
Cc: kerberos@MIT.EDU
Message-ID: <20010726091035.M3567@sm2p1386swk.wdr.com>
Mail-Followup-To: Matthew Glogowski <matthewg@world.std.com>,
kerberos@MIT.EDU
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <GH2n8M.n0r@world.std.com>; from matthewg@world.std.com on Thu, Jul 26, 2001 at 08:21:42AM +0000
You really need the root/hostname.realm.com@REALM.COM Kerberos accounts.
Particularly if you intend to use Secure NFS with Kerberos security.
That said, you *can* get away with not having host-specific root
principals IFF: you don't intend to use Secure NFS *and* you're building
a sort of kiosk system where local authentication isn't very relevant.
But you may have to use some other PAM_KRB5 than Sun's for that.
Of course, segmentation faults in PAM modules are not good, so open a
ticket with Sun.
Nico
On Thu, Jul 26, 2001 at 08:21:42AM +0000, Matthew Glogowski wrote:
> after installing the K5 software and setting everything up. i attempted to
> try using Sun's PAM to provide Kerberos authentincation. everything seems
> to work, however when i use su to su to root i get the following error:
>
> PAM-KRB5: Kerberos V5 authentication failed Client not found in Kerberos
> database
>
> Segmentation fault
>
> this is because PAM is attempting to find an K5 entry for
> root/hostname.realm.com@REALM.COM
>
> (i only have an entry in the database for root@REALM.COM.)
>
> i'd like to avoid adding each machine to the K5 database, and instead would
> only like to limit the KDC's to the database.
>
> when i use "su -" i can login and just get an error message regarding not
> having credentials. i'd like to try and use su instead of ksu if at all
> possible.
>
> is there some other tweaking of PAM on the Sun side which is possible?
>
> thanks,
>
> -matt
--
.
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-
Visit our website at http://www.ubswarburg.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.
