unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Page:
Section:
Apropos / Subsearch:
optional field



 pamkrbval(1m)						       pamkrbval(1m)




 NAME
      pamkrbval - validates the PAM Kerberos configuration.

 SYNOPSIS
      pamkrbval [ -v[erbose] ]

 DESCRIPTION
      pamkrbval verifies the PAM Kerberos related configuration files,
      /etc/pam.conf, /etc/pam_user.conf, /etc/krb5.conf, and
      /etc/krb5.keytab.	 It also checks if the default realm KDC is running.
      This version of pamkrbval is based on Kerberos V5 Client Version 1.0
      and may not work with configuration files of other Kerberos versions.
      This tool will help the administrator diagnose the problem.

      pamkrbval performs the following validations:

	   Checks whether the control_flags and the module_types specified
	   for the PAM Kerberos specific entries in the /etc/pam.conf file
	   are valid.

	   Checks whether the PAM Kerberos specific module_paths that are
	   specified in /etc/pam.conf exist.

	   Checks whether the options specified for pam_krb5 library are
	   valid PAM Kerberos options.

	   Validates /etc/pam_user.conf file only if libpam_updbe is
	   configured in /etc/pam.conf file. This validation will be similar
	   to the /etc/pam.conf validation.

	   Validates the syntax of the Kerberos configuration file,
	   /etc/krb5.conf.

	   Validates if the default realm KDC is issuing tickets. Atleast
	   one KDC must reply to the ticket requests for the default realm.

	   Validates the host service principal,
	   host/<hostname>@<default_realm> in /etc/krb5.keytab if present.
	   If this host service principal is not present in the default
	   keytab file, /etc/krb5.keytab then that validation is ignored and
	   Success is assumed.


    NOTE
      An entry in /etc/pam.conf file is considered to be PAM Kerberos entry
      if the file name in the module_path begins with libpam_krb5..  An
      example of a PAM Kerberos entry in /etc/pam.conf is as shown:

	   login   auth	  required   /usr/lib/security/libpam_krb5.1

      The machine is considered to be configured with libpam_updbe if  the



 Hewlett-Packard Company	    - 1 - PAM Kerberos v 1.10 September 2002






 pamkrbval(1m)						       pamkrbval(1m)




      file name in the module_path of an entry in /etc/pam.conf begins with
      libpam_updbe..  An example of a pam_updbe entry in /etc/pam.conf is as
      shown:

	   login   auth	  required   /usr/lib/security/libpam_updbe.1


    LOGGING
      pamkrbval logs all messages to stdout. The log categories provided
      are:

	   [LOG]	  These messages are logged when verbose option is
			  set.

	   [NOTICE]	  These messages are logged to notify the user about
			  the erroneous lines in pam configuration files or
			  to notify about the skipping of /etc/pam_user.conf
			  file validation.

	   [FAIL]	  These messages are logged when any of the above
			  mentioned validation fails.

	   [PASS]	  These messages are logged when any of the above
			  mentioned validation succeeds.

	   [IGNORE]	  These messages are logged when validation of
			  /etc/krb5.keytab is ignored.

	   ERROR	  These messages are logged to inform the user about
			  the exact problem in the pam configuration files.

	   [Help]	  These messages will give some minimal help to the
			  user to rectify the problem.

	   If there are any [FAIL]or ERROR messages then there is some
	   problem in the appropriate section. The administrator should
	   diagnose the problem.

 OPTIONS
      pamkrbval recognizes the only the following option:

	   v[erbose]	     verbose output

 FILES
      /etc/krb5.conf	       the kerberos client configuration file

      /etc/pam.conf	       the pam configuration file

      /etc/pam_user.conf       The pam user configuration file





 Hewlett-Packard Company	    - 2 - PAM Kerberos v 1.10 September 2002






 pamkrbval(1m)						       pamkrbval(1m)




      /etc/krb5.keytab	       The default location for the local host's
			       keytab file

 AUTHOR
      pamkrbval was developed by HP.

 SEE ALSO
      krb5.conf(4), pam(3), pam_krb5(5), pam.conf(4), pam_updbe(5),
      pam_user.conf(4)













































 Hewlett-Packard Company	    - 3 - PAM Kerberos v 1.10 September 2002