pamkrbval(1m)pamkrbval(1m)NAME
- validates the PAM Kerberos configuration.
SYNOPSIS
{ pa32 | pa64 | ia32 | ia64 } [ verbose ] [ CIFS ]
DESCRIPTION
verifies the PAM Kerberos related configuration files, and It also
checks if the default realm KDC is running. This tool will help the
administrator diagnose the problem.
performs the following validations:
Checks whether the control_flags and the module_types specified
for the PAM Kerberos specific entries in the /etc/pam.conf file
are valid.
Checks whether the PAM Kerberos specific module_paths that are
specified in exist. If the module_path name is not absolute it
is assumed to be relative to The (i.e Instruction Set Architec‐
ture) token is replaced by this tool with for IA 32-bit option(
), or with for IA 64-bit option( ), or with null for PA 32-bit
option( ), or with for PA 64-bit option( ).
Checks whether the options specified for pam_krb5 library are
valid PAM Kerberos options.
Validates /etc/pam_user.conf file only if libpam_updbe is con‐
figured in /etc/pam.conf file. This validation will be similar
to the /etc/pam.conf validation.
Validates the syntax of the Kerberos configuration file,
/etc/krb5.conf.
Validates if the default realm KDC is issuing tickets. Atleast
one KDC must reply to the ticket requests for the default realm.
Validates the host service principal, in the file, if this file
exists. If the keytab entry for this host service principal does
not exist in the default keytab file, checks for the host ser‐
vice principal in the KDC. If the host service principal does
not exist in the KDC, then ignores the validation and assumes
success. If finds the host service principal in the KDC, issues
the following warning message:
found on KDC but not found in keytab file.
NOTE
An entry in /etc/pam.conf file is considered to be PAM Kerberos entry
if the file name in the module_path begins with An example of a PAM
Kerberos entry in /etc/pam.conf is as shown:
The machine is considered to be configured with libpam_updbe if the
file name in the module_path of an entry in /etc/pam.conf begins with
An example of a pam_updbe entry in /etc/pam.conf is as shown:
LOGGING
logs all messages to stdout. The log categories provided are:
These messages are logged when verbose option is set.
These messages are logged to notify the user about the erroneous
lines in pam configuration files or to notify about the skipping
of /etc/pam_user.conf file validation.
These messages are logged when any of the above mentioned vali‐
dation fails.
These messages are logged to notify the user about a potentially
erroneous configuration on the system that may result in valida‐
tion failure.
These messages are logged when any of the above mentioned vali‐
dation succeeds.
These messages are logged when validation of /etc/krb5.keytab is
ignored.
These messages are logged to inform the user about the exact
problem in the pam configuration files.
These messages will give some minimal help to the user to rec‐
tify the problem.
If there are any or or messages then there is some problem in
the appropriate section. The administrator should diagnose the
problem.
OPTIONS
verbose output
{ pa32 | pa64 | ia32 | ia64 }
Depending on the architecture on which the validation need to be
done this option needs to be set. The flags available are as
listed below:
for PA 32-bit architecture
for PA 64-bit architecture
for IA 32-bit architecture
for IA 64-bit architecture
Depending on this flag, in the module_path will be expanded as
explained in the Description section of this manpage.
Use this option if
is configured on the system to enable validation of the keytab
entry for Do not use this option if is not configured on the
system.
RETURN VALUE
returns the following exit codes:
Successful configuration validation.
Warnings were found during configuration validation.
Errors were detected during configuration validation.
FILES
the kerberos client configuration file
the pam configuration file
The pam user configuration file
The default location for the local host's keytab file
AUTHOR
was developed by HP.
SEE ALSOkrb5.conf(4), pam(3), pam_krb5(5), pam.conf(4), pam_updbe(5),
pam_user.conf(4)pamkrbval(1m)