Hello Gurus,
I desperately need help to replicate the functionality that I had with Solaris 8 and SEAM into Solaris 10.
Our application needs a few users which are created with the application install. One of our customer requires Kerberos as single sign-on because of their IT department policies. In the past, we had installed SEAM on Solaris 8, created principals for local application users on the KDC and locked their local accounts. This way, these application users were prompted for password only once (kerberos password).
Now we are required to move to Solaris 10 and I am trying to do the same thing with Solaris 10 kerberos. The problem is, as soon as I lock these local accounts, application users cannot login with their kerberos passwords either. If I do not lock the passwords, users can still access the system if they enter the incorrect kerberos password, but correct local password, which is undesirable. How can I accomplish the same effect as Solaris 8 and SEAM combo?
Following are the content of my pam.conf file in Solaris 8, which works with local account locking.
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_auth.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1
passwd auth required pam_passwd_auth.so.1
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
rlogin auth optional pam_krb5.so.1 try_first_pass
login auth optional pam_krb5.so.1 try_first_pass
dtlogin auth optional pam_krb5.so.1 try_first_pass
dtsession auth required pam_unix.so.1
krlogin auth required pam_krb5.so.1 acceptor
ktelnet auth required pam_krb5.so.1 acceptor
krsh auth required pam_krb5.so.1 acceptor
other auth optional pam_krb5.so.1 try_first_pass
dtlogin account optional pam_krb5.so.1
other account optional pam_krb5.so.1
other session optional pam_krb5.so.1
other password optional pam_krb5.so.1 try_first_pass
I have tried different configurations of pam.conf in Solaris 10, but nothing seems to work.
Thank you in advance for any help y'all can provide.