Jeff A. Earickson
2005-Aug-29 13:59 UTC
[Dovecot] dovecot/Active Directory/KRB client (OT)
Gang, For those who asked about making a Solaris system a Kerberos client to Active Directory, the magic document to have is: http://www.connectathon.org/seam1.0/files/c0101.htm See the section "How to Configure a SEAM Client Using a Windows 2000 KDC". SEAM was Sun's Kerberos client stuff in Solaris 8; it is just there as part of Solaris 9 and 10. These instructions apply if one is using Solaris 9, 10, or a Windows 2003 KDC. The instructions probably give insight for other UNIX versions. The hard part is configuring the pam.conf file, and there are significant differences between Solaris 9 and 10. For dovecot, I use the "other" service, in Solaris 9 pam.conf looks like: other auth sufficient /usr/lib/security/pam_unix.so.1 debug other auth sufficient /usr/lib/security/pam_krb5.so.1 try_first_pass debug other account optional /usr/lib/security/pam_unix.so.1 other account optional /usr/lib/security/pam_krb5.so.1 debug other session required /usr/lib/security/pam_unix.so.1 other session optional /usr/lib/security/pam_krb5.so.1 debug other password required /usr/lib/security/pam_unix.so.1 For Solaris 10, it looks like: other auth requisite pam_authtok_get.so.1 debug other auth required pam_dhkeys.so.1 debug other auth required pam_unix_cred.so.1 debug other auth sufficient pam_krb5.so.1 debug other auth required pam_unix_auth.so.1 debug other account requisite pam_roles.so.1 debug other account required pam_unix_account.so.1 debug other account required pam_krb5.so.1 debug other session required pam_unix_session.so.1 debug other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I hope this helps. Jeff Earickson Colby College
Interesting, Thanks for sharing the info. ----------------------------------------------------------------------------------------------------------------------- Lisandro Grullon New York City College of Technology Division of Continuing Education Director of Network Operations Lisandro Office: 1718-552-1178 Lisandro E-mail: lgrullon at citytech.cuny.edu "Unix is user-friendly. It's just very selective about who its friends are.">>> "Jeff A. Earickson" <jaearick at colby.edu> 08/29/05 9:59 AM >>>Gang, For those who asked about making a Solaris system a Kerberos client to Active Directory, the magic document to have is: http://www.connectathon.org/seam1.0/files/c0101.htm See the section "How to Configure a SEAM Client Using a Windows 2000 KDC". SEAM was Sun's Kerberos client stuff in Solaris 8; it is just there as part of Solaris 9 and 10. These instructions apply if one is using Solaris 9, 10, or a Windows 2003 KDC. The instructions probably give insight for other UNIX versions. The hard part is configuring the pam.conf file, and there are significant differences between Solaris 9 and 10. For dovecot, I use the "other" service, in Solaris 9 pam.conf looks like: other auth sufficient /usr/lib/security/pam_unix.so.1 debug other auth sufficient /usr/lib/security/pam_krb5.so.1 try_first_pass debug other account optional /usr/lib/security/pam_unix.so.1 other account optional /usr/lib/security/pam_krb5.so.1 debug other session required /usr/lib/security/pam_unix.so.1 other session optional /usr/lib/security/pam_krb5.so.1 debug other password required /usr/lib/security/pam_unix.so.1 For Solaris 10, it looks like: other auth requisite pam_authtok_get.so.1 debug other auth required pam_dhkeys.so.1 debug other auth required pam_unix_cred.so.1 debug other auth sufficient pam_krb5.so.1 debug other auth required pam_unix_auth.so.1 debug other account requisite pam_roles.so.1 debug other account required pam_unix_account.so.1 debug other account required pam_krb5.so.1 debug other session required pam_unix_session.so.1 debug other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I hope this helps. Jeff Earickson Colby College