Symptoms: Solaris' dtlogin (xdm) to just kinda reset. dtlogin accepts your password, begins to start X for you, but then pops right back to the login screen. /var/dt/Xerrors contains something like:
dtlogin: received signal 11
X connection to :0.0 broken
(explicit kill or server shutdown).
What the hell is going on? Well, the KRB5 PAM i use with Solaris, v
1.1.3, which was written by Curtis King So if something bad has happened to the stash file contain the
service creds for kadmin/admin (which is /etc/kadm5.keytab on my system,
but might be /var/krb5kdc/kadm5.keytab on more stock systems), when the
KRB5 PAM goes to get creds, it gets the first ones (like the TGT you
want) but the fails on the kadmin/admin service tickets, causing and
dtlogin to crap out and fail.
The underlying cause here was i had re-extracted the kadmin/admin
creds to a new stash file, and the old file had an older revision than
was in the Kerberos database. This happens a lot with host principals
and krb5.keytabs. The thing to remember is that when you extract service
creds (ticket) with kadmin ("xst" or "ktadd"), the key revision is
incremented, and if you have older revisions of the creds stashed
anywhere else, they're now obsolete and no-workie.
Solution: re-extract the creds into a new /var/krb5kdc/kadm5.keytab,
and restart kadmind. (Thu Dec 13 07:07:58 EST 2001)
$Id: kerberos.html,v 1.2 2002/05/10 06:54:31 johan Exp $