Kerberos setup under Solaris 9

From The System Administrator Zone

Configuration Files

  1. - Change /etc/krb5/krb5.conf
  2. - Change /etc/krb5/kdc.conf
  3. - Change /etc/pam.conf

Here is the changed version of /etc/krb5/krb5.conf

[libdefaults]
        default_realm = EXAMPLE.COM
        verify_ap_req_nofail = false

[realms]
        EXAMPLE.COM = {
        kdc = kdc01.example.com
        admin_server = kdc01.example.com
        }

[domain_realm]
        example.com = EXAMPLE.COM
        .example.com = .EXAMPLE.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used# frequently.

        period = 1d


# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
        version = 10
}
[appdefaults]
        kinit = {
        renewable = true
        forwardable= true
        }

Here is the changed version of /etc/krb5/kdc.conf

<verbatim> [kdcdefaults]

       kdc_ports = 88,750

[realms]

       EXAMPLE.COM = {
               profile = /etc/krb5/krb5.conf
               database_name = /var/krb5/principal
               admin_keytab = /etc/krb5/kadm5.keytab
               acl_file = /etc/krb5/kadm5.acl
               kadmind_port = 749
               max_life = 8h 0m 0s
               max_renewable_life = 7d 0h 0m 0s
               default_principal_flags = +preauth
       }

Add the following to /etc/pam.conf to support ssh access

# sshd authentication order
sshd    auth sufficient         pam_krb5.so.1 try_first_pass
sshd    auth required           pam_unix_auth.so.1

Notes

Password setting / changing

If you use the built in passwd command, it only updates the entry in /etc/shadow. However, that entry is still checked. Thus, when logging into the system with an account that is registered in the EXAMPLE domain, you will be successful if your password matches against either the EXAMPLE domain or the entry in /etc/shadow.

Error: Unknown code 2

Dec  5 12:42:16 HOSTNAME sshd[555]: PAM-KRB5 (auth): krb5_verify_init_creds failed: Unknown code 2

/etc/krb5/krb5.conf:
You need a valid keytab to use pam_krb5 or set verify_ap_req_nofail = false. Since we don't have a valid keytab, we have added verify_ap_req_nofail = false to the [libdefaults] section of the configuration file.