Kerberos setup under Solaris 9

From The System Administrator Zone

Configuration Files

  1. - Change /etc/krb5/krb5.conf
  2. - Change /etc/krb5/kdc.conf
  3. - Change /etc/pam.conf

Here is the changed version of /etc/krb5/krb5.conf

        default_realm = EXAMPLE.COM
        verify_ap_req_nofail = false

        EXAMPLE.COM = {
        kdc =
        admin_server =

[domain_realm] = EXAMPLE.COM = .EXAMPLE.COM

        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used# frequently.

        period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
        version = 10
        kinit = {
        renewable = true
        forwardable= true

Here is the changed version of /etc/krb5/kdc.conf

<verbatim> [kdcdefaults]

       kdc_ports = 88,750


       EXAMPLE.COM = {
               profile = /etc/krb5/krb5.conf
               database_name = /var/krb5/principal
               admin_keytab = /etc/krb5/kadm5.keytab
               acl_file = /etc/krb5/kadm5.acl
               kadmind_port = 749
               max_life = 8h 0m 0s
               max_renewable_life = 7d 0h 0m 0s
               default_principal_flags = +preauth

Add the following to /etc/pam.conf to support ssh access

# sshd authentication order
sshd    auth sufficient try_first_pass
sshd    auth required 


Password setting / changing

If you use the built in passwd command, it only updates the entry in /etc/shadow. However, that entry is still checked. Thus, when logging into the system with an account that is registered in the EXAMPLE domain, you will be successful if your password matches against either the EXAMPLE domain or the entry in /etc/shadow.

Error: Unknown code 2

Dec  5 12:42:16 HOSTNAME sshd[555]: PAM-KRB5 (auth): krb5_verify_init_creds failed: Unknown code 2

You need a valid keytab to use pam_krb5 or set verify_ap_req_nofail = false. Since we don't have a valid keytab, we have added verify_ap_req_nofail = false to the [libdefaults] section of the configuration file.