I'm trying to just set up a vanilla Solaris 11 kerberos server, and then allow users to log in via kerberos password.

I've tried to follow the long old oracle kerberos instructions, at
http://docs.oracle.com/cd/E23824_01/html/821-1456/setup-9.html

and so on. 
I can kinit as a user beautifully.  But I cant LOG IN.
Oddly, even though you might think this would be #1 on the list of "things to do with kerberos"... nowhere is it mentioned in that document, how to make this happen.

it mentions that when you run "kclient", that you can specify individual services to be kerb enabled. But I cant see any suggestion as to what to use, for kerb logins
(either via ssh, or just using "su")

Could anyone inform as to the correct procedure?
 raw pam.conf lines would be nice, but any insight as to better kclient usage would be nice also.

On Monday, July 23, 2012 3:07:21 PM UTC-7, Philip Brown wrote:

> Could anyone inform as to the correct procedure?
>  raw pam.conf lines would be nice, but any insight as to better kclient usage would be nice also.

eh, this seems to work for me now:

(Since tabs dont get transferred in cut-n-paste, you'll have to manually interpret this patch. I trust that it is clear.)


--- /etc/pam.conf.orig  Thu Oct 20 16:04:04 2011
+++ pam.conf.krb5       Mon Jul 23 16:04:18 2012
@@ -17,6 +17,7 @@
 login  auth requisite          pam_authtok_get.so.1
 login  auth required           pam_dhkeys.so.1
 login  auth required           pam_unix_cred.so.1
+login  auth sufficient         pam_krb5.so.1
 login  auth required           pam_unix_auth.so.1
 login  auth required           pam_dial_auth.so.1
 #
@@ -70,7 +71,9 @@
 other  auth requisite          pam_authtok_get.so.1
 other  auth required           pam_dhkeys.so.1
 other  auth required           pam_unix_cred.so.1
+other  auth sufficient         pam_krb5.so.1
 other  auth required           pam_unix_auth.so.1