Steps:
1. SSH to box:
2. Enter password (ldap pass)
3. Authenticates succesfully. Shell drops connection (connection closed).

The Fix:
1. Set verify_ap_req_nofail=false.
2. SSH to box:
3. Enter password (ldap pass)
4. Authenticates succesfully and lets me in.

My kerb key’s look approriate….any ideas?

Logs with ap_req_nofail=true enabled:
Sep 4 16:05:46 hostname sshd[696]: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
Sep 4 16:05:46 hostname sshd[696]: [ID 549540 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user=’tclauj01′
Sep 4 16:05:46 hostname sshd[696]: [ID 704353 auth.debug] PAM-KRB5 (auth): Forwardable tickets requested
Sep 4 16:05:46 hostname sshd[696]: [ID 912857 auth.debug] PAM-KRB5 (auth): Renewable tickets requested
Sep 4 16:05:46 hostname sshd[696]: [ID 179272 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: SUCCESS

Logs with ap_req_nofail=false:

Sep 4 16:13:19 hostname sshd[747]: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
Sep 4 16:13:19 hostname sshd[747]: [ID 549540 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user=’username’
Sep 4 16:13:19 hostname sshd[747]: [ID 704353 auth.debug] PAM-KRB5 (auth): Forwardable tickets requested
Sep 4 16:13:19 hostname sshd[747]: [ID 912857 auth.debug] PAM-KRB5 (auth): Renewable tickets requested
Sep 4 16:13:19 hostname sshd[747]: [ID 179272 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: SUCCESS
Sep 4 16:13:19 hostname sshd[747]: [ID 833335 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 0
Sep 4 16:13:19 hostname sshd[747]: [ID 914654 auth.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =0, env =’KRB5CCNAME=FILE:/tmp/krb5cc_1000′, ag
e = 0, status = 0
Sep 4 16:13:19 hostname sshd[747]: [ID 525286 auth.debug] PAM-KRB5 (auth): end: Success
Sep 4 16:13:19 hostname sshd[747]: [ID 699746 auth.debug] PAM-KRB5 (acct): debug=1, nowarn=0
Sep 4 16:13:19 hostname sshd[747]: [ID 531709 auth.debug] PAM-KRB5 (acct): no module data for KRB5_AUTOMIGRATE_DATA
Sep 4 16:13:19 hostname sshd[747]: [ID 712548 auth.debug] PAM-KRB5 (acct): exp_warn start: user = ‘username’
Sep 4 16:13:19 hostname sshd[747]: [ID 734734 auth.debug] PAM-KRB5 (acct): fetch_princ_entry: non-RPCSEC_GSS chpw server, can’t get princ entry
Sep 4 16:13:19 hostname sshd[747]: [ID 615945 auth.debug] PAM-KRB5 (acct): exp_warn: fetch_pr failed 4
Sep 4 16:13:19 hostname sshd[747]: [ID 748222 auth.debug] PAM-KRB5 (acct): exp_warn end: err = 4
Sep 4 16:13:19 hostname sshd[747]: [ID 712902 auth.debug] PAM-KRB5 (acct): end: Success
Sep 4 16:13:19 hostname sshd[747]: [ID 629253 auth.debug] PAM-KRB5 (setcred): start: nowarn = 0, flags = 0×1
Sep 4 16:13:19 hostname sshd[747]: [ID 586274 auth.debug] PAM-KRB5 (setcred): kmd auth_status: Success
Sep 4 16:13:19 hostname sshd[747]: [ID 735350 auth.debug] PAM-KRB5 (setcred): end: Success
Sep 4 16:13:19 hostname sshd[747]: [ID 800047 auth.info] Accepted keyboard-interactive for username from 0.0.0.0 port 4372 ssh2
~

This by having the following entries in /etc/nsswitch.conf :
passwd: files ldap
group: files ldap
netgroup: ldap

3) we manage “netgroups”, one netgroup per server, to restrict access to people from teams that we expect to have to perform work on that server :
at the end of /etc/passwd, add the 2 lines
+@netgrpnameforthisserver:x:::::
-:x:::::

I thought we have to use passwd_compat in order to enforce
netgroup access, and that was confirmed by Sun support :

nsswitch.conf :
passwd: files compat
passwd_compat: ldap

my problem is that as soon as I enable that config, It stops working
and I get this error message from nscd :

Aug 11 15:20:48 machine nscd[3644]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (12): Unavailable critical extension.

I continue looking around

I have tested kerberos configuration with kinit
and it work:

#kinit pippo
Password for pippo@LOCAL:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: pippo@LOCAL

Valid starting Expires Service principal
06/20/08 11:57:11 06/23/08 11:57:19 krbtgt/LOCAL@LOCAL
renew until 06/27/08 11:57:11

2.ldapclient work too, if I do:
ldaplist -l passwd I obtain user information

but if I test pam with getent passwd return nothing

and /var/adm/messages if I test telnet/ssh is:
Jun 20 12:07:26 SU000000010510.sip.local login: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
Jun 20 12:07:26 SU000000010510.sip.local login: [ID 219349 auth.debug] pam_unix_auth: user pippo not found

Have you any ideas?

thank’s
pierluigi

Somehow I get my getent passwd command to work as expected but my kinit command is fails. I already look at the krb5.conf & pam.conf serveral times & I still have no ideas what it is wrong w/ it. Could you please help me out?

# kinit
kinit(v5): Resource temporarily unavailable while getting initial
credentials

first i run this command i get the synchronization error but some how i sort it .
After this the command is working properly and I also check the credential cache by klist -5 command and i get the correct answer.

But the problem starts when I run the kdestroy command as mentioned in your article.
The kdestroy command works properly but after running this I run kinit user@RTU the command does not prompt for password even and give the error which I mentioned above.

here user is my username and RTU is my REALM name.

I also does not find the Environmental variable KRB5CCNAME which is used by kinit.

please help me . I think you sort out this problem early and please reply me as soon as possible

Any helps are appreciated.

Nidhi

1) authentication of passwords is done first against local files (i.e. /etc/shadow), and if the password entry is not found or invalid (like an “x” in the password field in /etc/shadow) then authenticate against the central Kerberos service which runs on Windows.

This allows you to create individual accounts on specific machines, but have them authenticated with the same password as they would use in their Windows environment (since it is the same Kerberos service that authenticates).
For example, for SSH based logins, the entries in /etc/pam.conf (Solaris-10) are :
sshd-kbdint auth requisite pam_authtok_get.so.1
sshd-kbdint auth required pam_dhkeys.so.1
sshd-kbdint auth sufficient pam_unix_cred.so.1
sshd-kbdint auth sufficient pam_unix_auth.so.1
sshd-kbdint auth required pam_krb5.so.1

2) to avoid account creation on individual servers, we have the servers use LDAP to make use of the Active Directory. The RFC extensions have been added in the AD to allow UNIX specific attributes.
Any account that attempts to login, is searched first in local files (/etc/passwd), and if not found it is searched for in the AD via LDAP.
This by having the following entries in /etc/nsswitch.conf :
passwd: files ldap
group: files ldap
netgroup: ldap
There is nothing LDAP-related in the /etc/pam.conf !
Typically (since people have first logged in on some PC, from there connect onto our SUN servers) any user login will be found in AD, authentication with be done against the central Kerberos service, so the SUN servers would allow ANY internal person to login …
-> to avoid that unrestricted login :

3) we manage “netgroups”, one netgroup per server, to restrict access to people from teams that we expect to have to perform work on that server :
at the end of /etc/passwd, add the 2 lines
+@netgrpnameforthisserver:x:::::
-:x:::::

We have requested the rights in the AD to manage the netgroups objects. There was no problem to obtain this delegation, since netgroups are not used by anyone else then UNIX sysadmins.
The netgroups are triplets, consisting of just the usernames:
(,username,)
…
To avoid that we need to manage the individual triplets in these netgroups:
- we manage a group per server (like “grp_servername”), which contains as members the groups of people that reflect functional teams (eg the DBA team, the network team, etc…) Only the groups the reflect teams which we grant access to that server, are added as member in this server-specific group “grp_servername”
- a script on the AD server runs 2x per day and populates the netgroups with the triplets of the usernames from these teams. At the end, the netgroups like “netgrpnameforthisserver” will contain only triplets for the users we want to grant access for that server

This works like a charm :
- the Windows team manage individual user accounts for people coming in the company, or leaving. Their helpdesk manages the reset of user passwords (in Kerberos)
- the SUN team manages which teams can login per server, by adding/removing groups from a ’server-group’
- an automated method populates the netgroups with the triplets for individual accounts

Thanks for the article. It is very helpfull. I HAD SOME SUCCESS WITH THE PROCEDURES. I am able to login the solaris 10 server with the AD users now. But the local users stopped working. I ma aunable to login to the server even with the local root user account
Any thoughts/suggestions?

and the default server list are AD server?
Thanks in advance,
pierluigi

/usr/lib/ssh/sshd -dep 29
(debug, extra detail, port 29)

then ssh from another windows to port 29

ssh testuser@localhost -p 29

This will show you some items that are happening as you go. Also, make sure your clocks are set right! Now back to getting ssh to work…
D

I found the answer and got it working. For those who are in much need of an answer, my config is as follows for my particular scenario:

-a defaultSearchBase=dc=example,dc=com \
-a defaultSearchScope=sub \
-a “serviceSearchDescriptor=group:ou=Managers,?sub?;ou=Users,?sub?” \
-a “serviceSearchDescriptor=passwd:ou=Managers,?sub?;ou=Users,?sub?” \

I didn’t realize until i read the log that the quotation marks are required.

Thanks a Million!