Solaris 8 Kerberos / Ldap Client Setup

[Matthew.GARRETT at external.total.com]

Folks

I am trying to setup a Solaris 8 client to talk to Kerberos / Ldap instead 
of using NIS

Ldap works fine e.g getent passwd
Displays the LDAP Pasword entries

Kerberos:
Doing a kinit USERNAME , works fine if I am logged on to the console as 
root user
So would seem that /etc/krb/krb5.conf is configured correctly.

I have changed /etc/pam.conf to use krb5
e.g
# PAM configuration
#
# This file is configured to try pam_unix first, then pam_krb5
#
# Authentication management
#
other   auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
other   auth required   /usr/lib/security/$ISA/pam_krb5.so.1 
use_first_pass
#
# Account management
#
# pam_krb5 has a no-op account module, so we don't bother listing it here
#
other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
other   account required        /usr/lib/security/$ISA/pam_projects.so.1
other   account required        /usr/lib/security/$ISA/pam_unix.so.1
#
# Session management
#
# pam_krb5 destroys any credential cache on session close, so it's good
# to have it here.  However, we also need pam_unix to be called, so don't
# make pam_krb5 "sufficient".
#
other   session optional        /usr/lib/security/$ISA/pam_krb5.so.1
other   session required        /usr/lib/security/$ISA/pam_unix.so.1
#
# Password management
#
# You may have to fiddle with this if you have other account databases.
# If you have some centralized user management tool that users use to
# change their password then you may just want to remove the pam_krb5
# here.
#
other   password sufficient     /usr/lib/security/$ISA/pam_unix.so.1
other   password required       /usr/lib/security/$ISA/pam_krb5.so.1 
use_first_pass
#

However when I try and login as a normal user syslog shows the following 
error's

May 13 15:33:23 bruce sshd[1168]: [ID 800047 auth.error] error: Could not 
get shadow information for USERNAME

Note the same is all so true  when I enable Telnet so dont think it is due 
to openssh issues. 

Can any body sugest what I am doing wrong.

Thanks

Matthew

 

Registered in England and Wales No.811900B B B B B B B B B  
Registered Office 33 Cavendish Square, London W1G 0PW
This e-mail and any attachments are intended only for the person or entity
to whom it is addressed and may contain confidential or privileged
information.B  If you are not the addressee, any disclosure, reproduction,
copying, distribution, or use of this communication is strictly prohibited.
If you are not the intended recipient or person responsible for delivering
this message to the named addressee, please notify us immediately and delete
this e-mail.
It is the responsibility of the addressee to scan this email and any
attachments for computer viruses or other defects.  The sender does not
accept liability for any loss or damage of any nature, however caused,
which may result directly or indirectly from this email or any file attached.