SUMMARY: SEAM, pam_krb5.so.1 and failover

From: Heilke, Rainer <Rainer.Heilke_at_atcoitek.com> Date: Wed Apr 16 2003 - 15:52:58 EDT · This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:09 EST

>  -----Original Message-----
> From: 	Houle, Michael
> Sent:	Wednesday, April 16, 2003 1:52 PM
> To:	Heilke, Rainer
> Subject:	SUMMARY: SEAM, pam_krb5.so.1 and failover
>
> Sorry folks,
>
> I had a hole in my head. the library is contacting both KDC's, but
> somehow it doesn't
> seem to like the answer. If I get an answer later on, I can post
> another summary.
>
> Thanks,
> Mike.
>
>  -----Original Message-----
> From: 	Houle, Michael
> Sent:	Tuesday, April 15, 2003 3:17 PM
> To:	'sunmanagers@sunmanagers.org'
> Subject:	SEAM, pam_krb5.so.1 and failover
>
> Hi Sun managers,
>
> Anyone heard of this problem with SEAM's pam_krb5.so.1 under Solaris
> 8?
>
> pam_krb5.so.1 doesn't seem to query more than 1 KDC before giving up.
>
> We're doing some fail-over testing and we've noticed that when we
> shutdown
> our primary kdc, pam_krb5.so.1 will not allow users to login. Our
> linux boxes work just
> fine so we know that the secondary kdc has good data and works.
>
> If we temporarily reverse the order of our kdc lines, we can
> authenticate to
> our slave kdc just fine under solaris.
>
> Our krb5.conf is:
>
> [libdefaults]
> clockskew = 5
> ticket_lifetime = 600
> default_realm = TEST.CA
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
>
> [realms]
> TEST.CA = {
> kdc = kerberos.test.ca:88
> kdc = kerberos-1.test.ca:88
> admin_server = kerberos.test.ca:749
> kpasswd_protocol = SET_CHANGE
> default_domain = test.ca
> }
>
> [domain_realm]
> .test.ca = TEST.CA
> test.ca = TEST.CA
>
> [appdefaults]
> kinit = {
> renewable = false
> forwardable= true
> }
>
> List steps to reproduce problem (if applicable):
> 1 shutdown primary KDC (kerberos.test.ca)
> 2 try to telnet to box and enter password.
>
> authentication fails. When the primary KDC is back online,
> authentication
> succeeds.
>
> Thanks, and I will post a summary as soon as I can.
> Mike.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers