i saw in your thread (12.08.2010) that you have the same output with lsuser
Quote:
asdf registry=files SYSTEM=KRB5files
After i have done all the steps you show me, it still does not work.
I still see the message
"auth|security:info syslog: pts/2: failed login attempt for UNKNOWN_USER from HOST"
The differences between the entries in /etc/security/user and the output of lsuser still exists.
Code:
HOSTNAME[!]/home/bsp/login>>grep -p kbtest /etc/security/user | egrep "adm
in|registry|SYSTEM"
admin = false
registry = KRB5files
SYSTEM = "KRB5files"
HOSTNAME[!]/home/bsp/login>>lsuser -a registry SYSTEM kbtest
kbtest registry=files SYSTEM=KRB5files
This must be a problem of lsuser!!!
I think, that it is important to know, who says "UNKNOWN USER". Is this a message of the DC? If so, why does it work with kinit and not at the time i try to login?
Is it possible, that the system sends the USER without the REALM at login time, and kinit do send the REALM?
Is there a problem with the environment at login time, so the login process does not recognize the /etc/krb5/krb5.conf file?
Many question i don not know how to get the answers.
I find another strange thing.
After the user is configure for KRB5files the user administration in smitty shows me empty values and wrong values.
Code:
Change / Show Characteristics of a User
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[TOP] [Entry Fields]
* User NAME kbtest
User ID [] #
ADMINISTRATIVE USER? +
Primary GROUP [] + Group SET [] +
ADMINISTRATIVE GROUPS [] +
ROLES [] +
Another user can SU TO USER? +
SU GROUPS [] +
HOME directory []
Initial PROGRAM []
User INFORMATION []
EXPIRATION date (MMDDhhmmyy) []
Is this user ACCOUNT LOCKED? +
User can LOGIN? +
User can LOGIN REMOTELY(rsh,tn,rlogin)? +
Allowed LOGIN TIMES []
Number of FAILED LOGINS before [] #
user account is locked
Login AUTHENTICATION GRAMMAR [KRB5files]
Valid TTYs []
Days to WARN USER before password expires [] #
Password CHECK METHODS []
Password DICTIONARY FILES []
NUMBER OF PASSWORDS before reuse [] #
WEEKS before password reuse [] #
Weeks between password EXPIRATION and LOCKOUT []
Password MAX. AGE [] #
Password MIN. AGE [] #
Password MIN. LENGTH [] #
Password MIN. ALPHA characters [] #
Password MIN. OTHER characters [] #
Password MAX. REPEATED characters [] #
Password MIN. DIFFERENT characters [] #
Password REGISTRY [files]
Soft CPU time []
Soft FILE size [] #
Soft DATA segment [] #
Soft STACK size [] #
Thanks.
Have a nice weekend.
Last edited by tomys; 07-27-2012 at 05:27 AM..
Reason: Please use code tags and less formatting
Use smitty to change your "Password REGISTRY" and see if anything changes. I see "KRB5files" in my smitty screen.
Can you post the full output of "lsuser kbtest"?
According to your AD server, the kbtest user is indeed able to login, right?
Please run "oslevel -s" and post the output.
Code:
Password MAX. REPEATED characters [8] #
Password MIN. DIFFERENT characters [0] #
Password REGISTRY [KRB5files]
Soft CPU time [-1]
Soft FILE size [-1] #
I will try to change the registry entry again later.
But, now I can tell you another strange behavior.
If I switch the user to PAMfiles (registry and SYSTEM) . I see the PAMfiles with lsuser in both settings.
Interesting: With PAMfiles enabled no login is possible because of "user is not known".
Sounds similar to the message "UNKNOWN_USER" with KB5files.
Why does It not show the right value with KB5files?! Very strange.
What have you done, that your output of lsuser shows the correct values. Because in your post from 2010 the registry value shows the wrong value, to
.
---------- Post updated at 11:42 PM ---------- Previous update was at 04:06 PM ----------
Now i have access to the system and can answare your questions.
If i change the registry entry from files to KRBfiles in smitty it show me "OK".
But the next time i look at the settings, there is still the "files" value set at registry.
HOST[!]/>>oslevel -s
6100-07-04-1216
Yes. The kbtest user can login for example to our Windows Terminalserver.
Could be far fetched since i haven't used it on IBM but it should be the simillar.
This is how i do KRB setup for machine (HPUX or Linux).
1. Create a user on the domain (i usually name it after the server)
2. Be sure that the checkbox for Kerberos auth for that specifed user on AD is checked.
3. Put password must be changed during next login.
4. Login with that user, change password (remember it!), logout # this is crucial or stuff just doesn't work.
5. Put password never expires for that user on DC.
6. Generate a keytab using ktpass on DC, positioning yourself in c:/Users
7. Copy the keytab to your server.
8. Configure PAM conf to use kerberos auth (with files as failover).
9. Define user on the system named as any user on AD (define password if you wish for that user to be able to login if KRB server is not operational).
10. Make sure NTP is operational, KERBEROS will not work if your servers (DC - server - client ) are out of sync.
9th setup is optional if you are using DC's LDAP with unix extended attributes on it (never used this myself, but it should be doable with more work on server and DC.)
Now you should be able to login to server using client which supports KRB and the user is logged on onto windows domain.
Hope this helps you in your setup.
Regards
Peasant.
10. Make sure NTP is operational, KERBEROS will not work if your servers (DC - server - client ) are out of sync.
This is in fact standard Kerberos behavior. I haven't needed Kerberos for a long time but now that you mention it i remember this to be a regular source of troubles in the days of PSSP (the SP/2 middleware) which used Kerberos throughout.
hi to all
i've done that steps, but i was not completely successful:
sudo pkg install group/feature/storage-server
sudo svcadm enable stmf
sudo zfs create -V 1g rpool/LUN1
sudo stmfadm create-lu /dev/zvol/rdsk/rpool/LUN1
sudo stmfadm list-lu ... (4 Replies)
Hi,
since the upgrade to Gnome 3.6 (now i have 3.8) the authentication over LDAP stops working. The whole machine does not start anymore. The machine boot, but no gdm and no X. I can login, with root, but then the tty hangs. When i look at ttyF12 i see a lot of systemd service the runs random,... (1 Reply)
Hi,
im new to Solaris (10) and need some help please.
Situation: Actually is there a Linux (SLES11) OpenLDAP-Server and authentification of Linux-Maschines works pretty sweet. Now i want to put the SOL10 (Sparc) boxes in....
Problem: User Authentification via OpenLDAP on Sol10 doesn´t work... (3 Replies)
HI,
I use redhat 5.7 .
I configure sendmail as client and deliver the email to the external SMTP server(10.1.1.176) .
The smtp server need SMTP AUTH in order to send email with SMTP.
I configure and follow this link .
Sendmail as SMTP Authentication | Free Linux Tutorials
I try to send... (1 Reply)
Good day
I am trying to configure Kerberos and LDAP authentication on AIX 5.3 with Windows 2003 R2 but something is not quite right.
When I ran kinit username I get a ticket and I can display it using klist.
When the user login I can see the ticket request on Windows 2003, but the user... (1 Reply)
Very strange one, we've got a recently build server (Sol10 via JET flash).
Bascially you can ssh to it fine, but telnet will allow entry of username, but will then feed in a carriage return on the passwd field, this also happens on any auth type command, ie passwd on a user account will also... (4 Replies)
:( hi all ,
i have installed netscape console on my local pc to connect to webmail server using LDAP .
when i try to login from my console i get an error
"Http Exception:
Response: Http/1.1 500 Server Error Status 500"
i was told that i need to add my IP to the local.conf file. ... (1 Reply)
While not technically a unix question, I was hoping for some help from you all-
I've got an Apache 1.3.x server, and I am using basic auth from the pam_auth module and winbind on the back of that. What I get is a relaly sleek authentication for my Windos domain users, however, as they are wont... (1 Reply)
