PAM-KRB5: account:  unable to get host based service name for realm

Advertisement

I want a custom service to authenticate via PAM with Microsoft Active Directory Services on Windows 2003. kinit appears to work:
Myserver% klist
Ticket cache: /tmp/krb5cc_200
Default principal: [email protected]
Valid starting Expires Service principal
Tue 01 Aug 2006 10:42:23 AM CDT Tue 01 Aug 2006 08:42:23 PM CDT krbtgt/[email protected]
renew until Tue 08 Aug 2006 10:42:23 AM CDT
Running a sample PAM consumer using 'winsamp' as its service name complains that Kerberos doesn't know the user. syslog reports: PAM-KRB5: account: unable to get host based service name for realm 'EXAMPLE.COM'.
I'm stuggling to get any additional logging out of either PAM or Kerberos. Any advice appreciated.
/etc/pam.conf:
winsamp auth required pam_krb5.so.1 debug
winsamp password required pam_krb5.so.1 debug
winsamp account required pam_krb5.so.1 debug
winsamp session required pam_krb5.so.1 debug
/etc/krb5/krb5.conf:
[libdefaults]
default_realm = EXAMPLE.COM
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
[realms]
EXAMPLE.COM = {
kdc = mykdc.example.com:88
admin_server = mykdc.example.com
default_domain = EXAMPLE.COM
[domain_realm]
.example.com = EXAMPLE.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
versions = 10
[appdefaults]
kinit = {
renewable = true
forwardable= true
PAM sample application synopsis:
pam_start("winsamp", "someuser", &conv, &pamh);
err = pam_authenticate(pamh, 0);
if (err == PAM_USER_UNKNOWN)
printf("don't know that user\n"); // <-- we always arrive here
logout();
}

Advertisement

Part of the problem was that the Sun server's domain was not an exact match for the ADS domain. One was XXXX.EXAMPLE.COM and the other was just EXAMPLE.COM. Adding the equiv. domains in krb5.conf improved that situation.
The sample PAM application still doesn't behave the way I want. When pam.conf is configured to authenticate against /etc/passwd, it works. Not when authenticating against ADS alone. I've come to the conclusion that PAM is for authenticating ONLY access to Solaris accounts.
My application does not need a Solaris account. Am I using the wrong authentication API?

November 30, -0001

PAM-KRB5: account:  unable to get host based service name for realm

I want a custom service to authenticate via PAM with Microsoft Active Directory Services on Windows 2003. kinit appears to work: Myserver% klist Ticket cache: /tmp/krb5cc_200 Default principal: [email protected] Valid starting Expires Service princip

I upgraded my cloud storage from 2G to 120G and today it went back to 2G and I cannot save my work. Anyone experience this? Unable to get any customer service.

I upgraded my cloud storage from 2G to 120G and today it went back to 2G and I cannot save my work. Anyone experience this? Unable to get any customer service.Purplehiddledog wrote: I do backup with iCloud.  I can't wait until the new iMac is availab

I am unable to get order by column name in oracle report parameter form

i created query like following in query builder SELECT CASE_NO, COURT_ID, CASE_TYPE, INITCAP(PLAINTIFF) PLAINTIFF,INITCAP( DEFENDENT) DEFENDENT, INITCAP(COUNSEL) COUNSEL, START_DATE, PREVIOUS_HEARING_DATE, NEXT_HEARING_DATE,INITCAP( DESCRIPTION) DESC

How do I get the library file name for a linked icon?

Hello, Using AW 7.02 I have a couple of library files, one contains graphics, the other audio. I am using a dive routine to run through the icons in the a7p file and if it is a sound icon that is "linked", I want to make sure that it is linked t

Host and domain name for http on abap server 7.4 ?

Hi, I've just setup the NW7.4 on HANA CAL system and am trying to execute some web dynpro apps but they fail as they always launch with a hostname of http://abapci.dummy.nodomain:50000. How do I go about changing the system so that web dynpro apps wi

Can 'Region' field gets defaulted based on owner of account?

Hi Can 'Region' field in Account sales information gets defaulted based on owner of account? Owner belongs to 'West' region then account should get defaulted with same region. I have defined 'West' as territory for this owner. Do anybody has expressi

"Unable to Verify Terms of Service"

This message appears after I log into my account "Unable to Verify Terms of Service".   What does that mean ?  Verizon customer for 30-40 years.Did you recently upgrade your service?  If you upgraded your service, and initiated or renewed your c

How to get required tags and name spaces in the output File?

Hello, I am doing IDOC to File sceanrio and I am able to get the file but the problem is that I am unable to get the required tag names. Out put file is having  ns0 ns1 and so on.. Eg: ns2:MaterialDefinitionProperty><ns2:MaterialDefinitionProperty&g

JAVA-SAX-Xml how to get simple tag element names to a list

i need to get the simple tag names(here it is name,price,aname,city) in to a list i have heard about SAX parser event driven it walks throgh the xml step by step when a new tag occurs it will parse etc.... but i am unable to get the only sampletag na

Get Sender Service Name during Mapping

Hi Guys! I would like to send the Sender Service Name to the Receiver System. Is it possible to get the Sender Service Name during Mapping ? thanks Juliosender --> gets the name of the sender business system. Test_Sender_System is output when you tes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages CurrentState

Can anyone tell me what the possible values are for the CurrentState value of a package under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages For Example: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C

HT4623 When I try to access my e-mail I get a message "Hotmail Account:Unable to verify account information".  What do I need to do?

When I try to access my e-mail I get a message "Hotmail Account:Unable to verify account information".  What do I need to do?It was under hotmail before they updated it. This is what it said when I tried a different one  the pop server IMAP mail

11gr2 Dataguard Active Standby - Unable to get Real-Time apply working

As above, I am unable to get real time apply to work WITHOUT it switching my standby back to MOUNT state. There does not seem to be anyting obvious from the broker, or alert logs. On the Standby: SQL> alter database recover managed standby database c

PLEASE HELP ME??? Lost itunes trying to downgrade back from 11.0 & unable to get itunes to work at all now..

New Itunes setup is the worst one yet!!! I couldn't stand it, so I tried uninstalling it and reinstalling older versions, but now I am unable to get it to work in any version. I have uninstalled & reinstalled several times (trying this with multiple

Recommendation Needed on Host Based Intrusion Detection

Hi, I don't have any experience in selecting or implementing a host based intrusion detection package. I need a package to sit on a web server (Win 2k / 2003 with IIS), running some e-Commerce websites, and I need to make sure that this package can d

I have renew my Creative cloud membership. I still can login into my account yet I get a message "We are having trouble identifying your membership" 00 days remaining. This message may refer to my old membership?!

I have renew my Creative cloud membership on 20 July 2014. I still can log in into my account yet I get a message "We are having trouble identifying your membership" 00 days remaining. This message may refer to my old membership?!  How can I rec

Accounting doc not getting created

Dear All, While releasing the billing doc to accounting i am getting the following message- 'Field text is a required field for g/l account xxx 89000'. xxx is the company code. Also when i go for the explanation of this it says- 'The value for field

Oracle 11i release 2 error "Unable to get the current group"

Hi oracle gurus,      I have been trying to install oracle 11g rel 2 on HPUX 11.31 and i am getting the following error # more installActions2010-01-06_10-27-37AM.log oracle.install.ivw.db.driver.DBInstaller -scratchPath /u01/tmp/OraInstall2010-01-06

Printing - Unable to lookup host message

Hello. I have a powermac dual 2.0 G5 which is connected to my HP all-in-one 2610xi by a usb cable. I am sharing this printer using the printer sharing in system preferences. I am sharing it wirelessly via the airport card with my G4 titanium powernbo

Setting up Exchange Account: "Unable to Verify Information"

I'm trying to set up my work email on my phone.  I followed the steps my IT guy told me to do exactly.  All the account information has been double & triple checked, yet I keep getting this error message pop-up: "Exchange Account: Unable to Verif