pamkrbval(1m)                                                 pamkrbval(1m)




 NAME    [Toc]    [Back]
      pamkrbval - validates the PAM Kerberos configuration.

 SYNOPSIS    [Toc]    [Back]
      pamkrbval -a { pa32 | pa64 | ia32 | ia64 } [ -v[erbose] ]

 DESCRIPTION    [Toc]    [Back]
      pamkrbval verifies the PAM Kerberos related configuration files,
      /etc/pam.conf, /etc/pam_user.conf, /etc/krb5.conf, and
      /etc/krb5.keytab.  It also checks if the default realm KDC is running.
      This version of pamkrbval is based on Kerberos V5 Client Version 1.0
      and may not work with configuration files of other Kerberos versions.
      This tool will help the administrator diagnose the problem.

      pamkrbval performs the following validations:

           Checks whether the control_flags and the module_types specified
           for the PAM Kerberos specific entries in the /etc/pam.conf file
           are valid.

           Checks whether the PAM Kerberos specific module_paths that are
           specified in /etc/pam.conf exist. If the module_path name is not
           absolute it is assumed to be relative to /usr/lib/security/$ISA/.
           The $ISA (i.e Instruction Set Architecture) token is replaced by
           this tool with hpux32 for IA 32-bit option( ia32 ), or with
           hpux64 for IA 64-bit option( ia64 ), or with null for PA 32-bit
           option( pa32 ), or with pa20_64 for PA 64-bit option( pa64 ).

           Checks whether the options specified for pam_krb5 library are
           valid PAM Kerberos options.

           Validates /etc/pam_user.conf file only if libpam_updbe is
           configured in /etc/pam.conf file. This validation will be similar
           to the /etc/pam.conf validation.

           Validates the syntax of the Kerberos configuration file,
           /etc/krb5.conf.

           Validates if the default realm KDC is issuing tickets. Atleast
           one KDC must reply to the ticket requests for the default realm.

           Validates the host service principal,
           host/<hostname>@<default_realm> in /etc/krb5.keytab if present.
           If the keytab entry for this host service principal is not
           present in the default keytab file, /etc/krb5.keytab then that
           validation is ignored and Success is assumed.

    NOTE    [Toc]    [Back]
      An entry in /etc/pam.conf file is considered to be PAM Kerberos entry
      if the file name in the module_path begins with libpam_krb5..  An
      example of a PAM Kerberos entry in /etc/pam.conf is as shown:



 Hewlett-Packard Company            - 1 - PAM-Kerberos 1.10 (September 2002)






 pamkrbval(1m)                                                 pamkrbval(1m)




           login  auth  required  /usr/lib/security/$ISA/libpam_krb5.so.1

      The machine is considered to be configured with libpam_updbe if  the
      file name in the module_path of an entry in /etc/pam.conf begins with
      libpam_updbe..  An example of a pam_updbe entry in /etc/pam.conf is as
      shown:

           login  auth  required  /usr/lib/security/$ISA/libpam_updbe.so.1


    LOGGING    [Toc]    [Back]
      pamkrbval logs all messages to stdout. The log categories provided
      are:

           [LOG]          These messages are logged when verbose option is
                          set.

           [NOTICE]       These messages are logged to notify the user about
                          the erroneous lines in pam configuration files or
                          to notify about the skipping of /etc/pam_user.conf
                          file validation.

           [FAIL]         These messages are logged when any of the above
                          mentioned validation fails.

           [PASS]         These messages are logged when any of the above
                          mentioned validation succeeds.

           [IGNORE]       These messages are logged when validation of
                          /etc/krb5.keytab is ignored.

           ERROR          These messages are logged to inform the user about
                          the exact problem in the pam configuration files.

           [Help]         These messages will give some minimal help to the
                          user to rectify the problem.

           If there are any [FAIL]or ERROR messages then there is some
           problem in the appropriate section. The administrator should
           diagnose the problem.

 OPTIONS    [Toc]    [Back]
      -v[erbose] verbose output

      -a { pa32 | pa64 | ia32 | ia64 }

           Depending on the architecture on which the validation need to be
           done this option needs to be set. The flags available are as
           listed below:





 Hewlett-Packard Company            - 2 - PAM-Kerberos 1.10 (September 2002)






 pamkrbval(1m)                                                 pamkrbval(1m)




           pa32 for PA 32-bit architecture

           pa64 for PA 64-bit architecture

           ia32 for IA 32-bit architecture

           ia64 for IA 64-bit architecture

           Depending on this flag, $ISA in the module_path will be expanded
           as explained above.

 FILES    [Toc]    [Back]
      /etc/krb5.conf           the kerberos client configuration file

      /etc/pam.conf            the pam configuration file

      /etc/pam_user.conf       The pam user configuration file

      /etc/krb5.keytab         The default location for the local host's
                               keytab file

 AUTHOR    [Toc]    [Back]
      pamkrbval was developed by HP.

 SEE ALSO    [Toc]    [Back]
      krb5.conf(4), pam(3), pam_krb5(5)




























 Hewlett-Packard Company            - 3 - PAM-Kerberos 1.10 (September 2002)