Solaris 9 12/03 Release Notes

Security Bugs

Unlocking CDE Screenlock Removes Kerberos Version 5 Credentials (4674474)

If you unlock a locked CDE session, all your cached Kerberos version 5 (krb5) credentials might be removed. The result is you might not be able to access various system utilities. This problem occurs under the following conditions:

If this problem occurs, the following error message is displayed:

lock screen: PAM-KRB5 (auth): Error verifying TGT with host/host-name:
Permission denied in replay cache code

Workaround: Add the following non-pam_krb5 dtsession entries to the /etc/pam.conf file:

dtsession auth requisite
dtsession auth required

With these entries in the /etc/pam.conf file, the pam_krb5 module does not run by default.

cron, at, and batch Cannot Schedule Jobs for Locked Accounts (4622431)

In the Solaris 9 12/03 release, locked accounts are treated in the same way as expired or nonexistent accounts. As a result, the cron, at, and batch utilities cannot schedule jobs on locked accounts.

Workaround: To enable locked accounts to accept cron, at, or batch jobs, replace the password field of a locked account (*LK*) with the string NP, for no password.