svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
pam_krb5_keytab(7)
Standards, Environments, Macros, Character Sets, and miscellany
pam_krb5_keytab(7)
NAME
pam_krb5_keytab - set credential PAM module with authentication through
the Kerberos key table file
SYNOPSIS
/usr/lib/security/pam_krb5_keytab.so.1
DESCRIPTION
The pam_krb5_keytab module attempts to obtain initial credentials
through the system's Kerberos key table file. The initial credentials
can subsequently be used to obtain credentials for itself on behalf of
PAM_USER, through Services for User to Self (S4U2Self) by stacking
pam_gss_s4u(7) after this module. In turn, these credentials can be
used to obtain service tickets for other services on behalf of the user
through Services for User to Proxy (S4U2Proxy).
Kerberos Set Credential Module
The Kerberos key table set credential module provides the set creden‐
tial function for pam_sm_setcred(). The credentials are set from an
initial authentication using system's keys that were stored previously
when the system had been previously provisioned for Kerberos.
The following options can be passed to the Kerberos set credential mod‐
ule:
debug Provides syslog(3C) debugging information at LOG_DEBUG level.
nowarn Turns off warning messages.
Kerberos Authentication Module
The Kerberos key table authentication module provides the authentica‐
tion function for pam_sm_authenticate(). The function returns
PAM_IGNORE.
ERRORS
The following error codes are returned for pam_sm_setcred():
PAM_CRED_UNAVAIL The system's key table file does not exist or the
system's principal was not found in the key table
file.
PAM_SUCCESS Successfully initialized credentials for the sys‐
tem's principal.
PAM_SYSTEM_ERR System error.
PAM_USER_UNKNOWN The system's principal was not found in the Ker‐
beros database.
EXAMPLES
Example 1 Set Credential for Initial Authentication Optionally Through
Kerberos Key Table File
The following is an excerpt of a sample /etc/pam.d/cron file:
auth definitive pam_user_policy.so.1
auth required pam_unix_auth.so.1
auth required pam_unix_cred.so.1
auth requisite pam_krb5_keytab.so.1
auth optional pam_gss_s4u.so.1
Given that set credentials uses the same stack as authenticate, the
above will provision Kerberos credentials through the successful
authentication of the keys found in the system's key table file via
pam_krb5_keytab(7). Subsequently, these credentials will be used to
obtain S4U credentials for PAM_USER.
Example 2 Using pam_user_policy to Configure pam_krb5_keytab
The pam_user_policy PAM module can be configured to refer to the sup‐
plied /etc/security/pam_policy/krb5_keytab file which uses
pam_krb5_keytab for PAM authentication with Kerberos through keytab and
optionally, authentication through pam_gss_s4u for Services For Users
(S4U). The following command assigns the /etc/security/pam_pol‐
icy/krb5_keytab file to user cronuser as the PAM policy:
# usermod -K pam_policy=krb5_keytab cronuser
For more information, see the pam_user_policy(7) man page.
ATTRIBUTES
See attributes(7) for a description of the following attribute:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Interface StabilityCommitted
SEE ALSO
kinit(1), syslog(3C), libpam(3LIB), pam(3PAM), pam_sm(3PAM),
pam_sm_authenticate(3PAM), pam_sm_setcred(3PAM), pam.conf(5),
attributes(7), pam_gss_s4u(7), pam_krb5(7)
Oracle Solaris 11.4 6 Feb 2020 pam_krb5_keytab(7)