Configuration Guide for Kerberos Client Products on HP-UX
Introduction to the Kerberos Products and GSS-API
PAM Kerberos
Chapter 2 49
• Checks for the validity of the control_flags and the module_types
specified for the PAM Kerberos specific entries in the
/etc/pam.conf file.
• Checks if the PAM Kerberos specific module_path specified in the
/etc/pam.conf file exists. If the module_path name is not absolute
it is assumed to be relative to /usr/lib/security/$ISA/. The $ISA
(Instruction Set Architecture) token is replaced by this tool with
hpux32 for Itanium
32-bit option (ia32), or with hpux64 for
Itanium
64 bit option (ia64), or with null for PA-32 bit option
(pa32), or with pa20_64 for PA 64-bit option (pa64).
• Checks if the options specified for the pam_krb5 library are valid
PAM Kerberos options.
• Validates the /etc/pam_user.conf file only if libpam_updbe is
configured in the /etc/pam.conf file. This validation is similar to
the /etc/pam.conf validation.
• Validates the syntax of the Kerberos configuration file,
/etc/krb5.conf.
• Validates if the default realm KDC is issuing tickets. At least one
KDC must reply to the ticket requests for the default realm.
• Validates the host service principal,
host/<hostname>@default_realm> in /etc/krb5.keytab, if
present. If the keytab entry for this host service principal is not
present in the default keytab file, /etc/krb5.keytab then that
validation is ignored and success is assumed.
NOTE An entry in /etc/pam.conf file is considered to be PAM Kerberos
entry if the file name in the module_path begins with libpam_krb5.
An example of a PAM Kerberos entry in /etc/pam.conf is as shown:
login auth required /usr/lib/security/$ISA/libpam_krb5.so.1
The machine is considered to be configured with libpam_updbe if the file
name in the module_path of an entry in /etc/pam.conf begins with
libpam_updbe. Following is an example of a pam_updbe entry in the
/etc/pam.conf file:
login auth required /usr/lib/security/$ISA/libpam_updbe.so.1