pamkrbval - validates the PAM Kerberos configuration.
pamkrbval [ -v[erbose] ]
pamkrbval verifies the PAM Kerberos related configuration files,
/etc/pam.conf, /etc/pam_user.conf, /etc/krb5.conf, and
/etc/krb5.keytab. It also checks if the default realm KDC is running.
This version of pamkrbval is based on Kerberos V5 Client Version 1.0
and may not work with configuration files of other Kerberos versions.
This tool will help the administrator diagnose the problem.
pamkrbval performs the following validations:
Checks whether the control_flags and the module_types specified
for the PAM Kerberos specific entries in the /etc/pam.conf file
Checks whether the PAM Kerberos specific module_paths that are
specified in /etc/pam.conf exist.
Checks whether the options specified for pam_krb5 library are
valid PAM Kerberos options.
Validates /etc/pam_user.conf file only if libpam_updbe is
configured in /etc/pam.conf file. This validation will be similar
to the /etc/pam.conf validation.
Validates the syntax of the Kerberos configuration file,
Validates if the default realm KDC is issuing tickets. Atleast
one KDC must reply to the ticket requests for the default realm.
Validates the host service principal,
host/<hostname>@<default_realm> in /etc/krb5.keytab if present.
If this host service principal is not present in the default
keytab file, /etc/krb5.keytab then that validation is ignored and
Success is assumed.
An entry in /etc/pam.conf file is considered to be PAM Kerberos entry
if the file name in the module_path begins with libpam_krb5.. An
example of a PAM Kerberos entry in /etc/pam.conf is as shown:
login auth required /usr/lib/security/libpam_krb5.1
The machine is considered to be configured with libpam_updbe if the
Hewlett-Packard Company - 1 - PAM Kerberos v 1.10 September 2002
file name in the module_path of an entry in /etc/pam.conf begins with
libpam_updbe.. An example of a pam_updbe entry in /etc/pam.conf is as
login auth required /usr/lib/security/libpam_updbe.1
pamkrbval logs all messages to stdout. The log categories provided
[LOG] These messages are logged when verbose option is
[NOTICE] These messages are logged to notify the user about
the erroneous lines in pam configuration files or
to notify about the skipping of /etc/pam_user.conf
[FAIL] These messages are logged when any of the above
mentioned validation fails.
[PASS] These messages are logged when any of the above
mentioned validation succeeds.
[IGNORE] These messages are logged when validation of
/etc/krb5.keytab is ignored.
ERROR These messages are logged to inform the user about
the exact problem in the pam configuration files.
[Help] These messages will give some minimal help to the
user to rectify the problem.
If there are any [FAIL]or ERROR messages then there is some
problem in the appropriate section. The administrator should
diagnose the problem.
pamkrbval recognizes the only the following option:
v[erbose] verbose output
/etc/krb5.conf the kerberos client configuration file
/etc/pam.conf the pam configuration file
/etc/pam_user.conf The pam user configuration file
Hewlett-Packard Company - 2 - PAM Kerberos v 1.10 September 2002
/etc/krb5.keytab The default location for the local host's
pamkrbval was developed by HP.
krb5.conf(4), pam(3), pam_krb5(5), pam.conf(4), pam_updbe(5),
Hewlett-Packard Company - 3 - PAM Kerberos v 1.10 September 2002