Login or Register to Ask a Question and Join Our Community


Solaris

Solaris 10 Kerberos with local account locking

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris Solaris 10 Kerberos with local account locking
# 1  
Old 03-20-2008
Solaris 10 Kerberos with local account locking
Hello Gurus,

I desperately need help to replicate the functionality that I had with Solaris 8 and SEAM into Solaris 10.

Our application needs a few users which are created with the application install. One of our customer requires Kerberos as single sign-on because of their IT department policies. In the past, we had installed SEAM on Solaris 8, created principals for local application users on the KDC and locked their local accounts. This way, these application users were prompted for password only once (kerberos password).

Now we are required to move to Solaris 10 and I am trying to do the same thing with Solaris 10 kerberos. The problem is, as soon as I lock these local accounts, application users cannot login with their kerberos passwords either. If I do not lock the passwords, users can still access the system if they enter the incorrect kerberos password, but correct local password, which is undesirable. How can I accomplish the same effect as Solaris 8 and SEAM combo?

Following are the content of my pam.conf file in Solaris 8, which works with local account locking.

Code:
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
  
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_auth.so.1

rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_auth.so.1

ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1

other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_auth.so.1

passwd  auth required           pam_passwd_auth.so.1

cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1

other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1

other   session required        pam_unix_session.so.1

other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1

rlogin        auth optional       pam_krb5.so.1 try_first_pass
login         auth optional       pam_krb5.so.1 try_first_pass
dtlogin      auth optional       pam_krb5.so.1 try_first_pass
dtsession  auth required       pam_unix.so.1
krlogin      auth required       pam_krb5.so.1 acceptor
ktelnet     auth required       pam_krb5.so.1 acceptor
krsh         auth required       pam_krb5.so.1 acceptor
other       auth optional       pam_krb5.so.1 try_first_pass
dtlogin     account optional   pam_krb5.so.1
other       account optional   pam_krb5.so.1
other       session optional    pam_krb5.so.1
other       password optional pam_krb5.so.1 try_first_pass

I have tried different configurations of pam.conf in Solaris 10, but nothing seems to work.
Thank you in advance for any help y'all can provide.
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Solaris

Solaris Patch Updates (Kerberos)

Hi, I have a Solaris 10 device which has quite a dated version of Kerberos 5 installed. I'd like to upgrade the version of Kerberos to a more recent version, but was unsure whether updates to Kerberos are provided by applying a Solaris patch - or whether I would need to go to the MIT website... (0 Replies)
Discussion started by: James1011
0 Replies

2. Solaris

Which process/script is locking account ?

There is a account - ohsuser on Solaris-10 zone. It is getting locked every 2-3 minutes. Can I know, what is process or script, which is using this account and locking it ? root@tswsd23-prdt01:/root# cat /var/adm/messages | tail -10 Sep 24 11:05:53 tswsd23-prdt01 nmo: Excessive (3) login... (5 Replies)
Discussion started by: solaris_1977
5 Replies

3. Shell Programming and Scripting

Locking specific account without using passwd

Hey guys just wondering how i could lock a specific acount by prepending LK to the password field in the /etc/shadow file. it cannot be done through a command since the script gets called by a menu driven interface so i cant use "passwd". Is there a way where i can search for a specific account... (11 Replies)
Discussion started by: musicmancanora
11 Replies

4. Solaris

run xclock from local solaris to remote solaris

Hello - I am trying to connect to a remote solaris box from a solaris box i have locally present with me using 'ssh login@IP' ... Its connecting fine but... when I run xclock - it says 'Can't open display' Whereas, IF I connect to same remote solaris IP from my windows desktop locally via putty... (9 Replies)
Discussion started by: panchpan
9 Replies

5. Linux

Auto create local account with winbind.

Hi, I have a set up a linux box connected to windows active directory using winbind. Everything is up and running fine. Now i wish to auto create a local account whenever a new user logs in. I have tried every possible way using the smb.conf to no avail. Any help would be appreciated. (1 Reply)
Discussion started by: d_ark
1 Replies

6. Solaris

ftp account locking

I need some help trying to figure out why our ftp account keeps getting locked with no manual intervention. We have end of day processes that run nightly and the last thing it does is ftp files to a server. Everyonce in a while the script fails because the account has been locked. How could this... (5 Replies)
Discussion started by: morgadoa
5 Replies

7. Solaris

solari s 10 auto account locking

does anyone know in solaris 10, can you lock an account if the user does not change their password within a certain amount of time? What i want to do is, if a user doesnt change their password within 90 days, i want the account locked. This is similar to the redhat linux passwd -i command. ... (3 Replies)
Discussion started by: BG_JrAdmin
3 Replies

8. Solaris

Heimdal kerberos and Solaris 8 Client

Hi, I have been trying to have a solaris 8 client authenticate to a Suse Linux KDC (heimdal) via SEAM. Everything works fine, I can login with a principal using kinit or via PAM and get tgt. However I can't use kadmin or kpasswd from the solaris client. The error received is Client/Server real... (0 Replies)
Discussion started by: perezive
0 Replies

9. UNIX for Dummies Questions & Answers

Kerberos Solaris 10 x86

Hello, I started to install Solaris 10 on my x86 box and am not sure if I need to set up Kerberos and/or DNS if my box is a standalone workstation connected to the internet using a cable modem and router. Specifically, I know kerberos is good for security, but I'm not sure what to enter in... (2 Replies)
Discussion started by: SAUnterC
2 Replies
Login or Register to Ask a Question