[30284] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3

daemon@ATHENA.MIT.EDU (Nicolas Williams)
Wed Sep 10 16:00:03 2008

Date: Wed, 10 Sep 2008 14:40:42 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Message-ID: <20080910194042.GO1875@Sun.COM>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <48C81C8B.6050400@anl.gov>
Cc: "Chavez, James R." <james.chavez@sanmina-sci.com>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On Wed, Sep 10, 2008 at 02:14:19PM -0500, Douglas E. Engert wrote:
> Chavez, James R. wrote:
> > Doug, Thanks for the reply.
> > I am actually using kerberos for authenticating logins through ssh. 
> > Because I had no DNS entry for this Solaris box I was getting the
> > following debug output from pam_krb5.
> > 
> > Aug 26 10:24:21 solaris1.example.com sshd[1147]: [ID 537602 auth.error]
> > PAM-KRB5 (auth): krb5_verify_init_creds failed: 
> > Hostname cannot be canonicalized.
> 
> This sounds like the sshd can not determine its FQDN. A host should
> be able to determine its name without DNS.

This is coming from krb5_sname_to_principal(), which is called from
krb5_verify_init_creds(), which is called from pam_krb5:pam_sm_authenticate().

Solaris Kerberos specifically requires DNS to be configured.

Nico
-- 
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post