[CentOS] using windows ad accounts for centos 5

Mike Hanby mhanby at uab.edu
Wed Jun 18 13:54:48 UTC 2008 

Strange, when I run

sudo yum whatprovides pam_krb5.so

I get

pam_krb5.i386                            2.2.14-1
centos5-base-rep
Matched from:
/lib/security/pam_krb5.so
pam_krb5.so

If the yum command is failing to report this package, then check your
yum.repos.d files and make sure they aren't dorked.

-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of Isaac Gonzalez
Sent: Tuesday, June 17, 2008 20:47
To: CentOS mailing list
Subject: RE: Re: [CentOS] using windows ad accounts for centos 5

Hmmm... I get 

authconfig: Authentication module /lib/security/pam_krb5.so is missing.
Authentication process will not work correctly.

When running this command...i tried to use yum whatprovides pam_krb5.so
...to no avail.

Any suggestions

-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of Jay Leafey
Sent: Thursday, June 05, 2008 4:35 PM
To: CentOS mailing list
Subject: Re: [CentOS] using windows ad accounts for centos 5

Isaac Gonzalez wrote:
> Hi I read and used the article
> http://blog.wazollc.com/Lists/Posts/Post.aspx?ID=2 to authenticate my 
> ad accounts when logging on to cent 5…however, once I edit the 
> nsswitch.conf file, I can’t even log on as root or any local users 
> anymore. Kinit seems to initialize fine doing a kinit 
> username at MYDOMAIN.COM <mailto:username at MYDOMAIN.COM> , however doing a
> getent passwd adusername ….it just sits there in the shell and does 
> nothing. I actually had to put all files back to where they were 
> before the change to even be able to login locally or use sudo.
> 
> I followed the steps line by line on this article but get stuck 
> everytime….anyone has an idea or a better documented way of achieving 
> what I am trying to do , please let me know.
> 
> Thanks,
> Isaac
> 

I'm using AD-via-Kerberos to authenticate users on several CentOS 5.1
systems.  Setting it up was as easy as a single command line:

authconfig \
         --usemd5 --useshadow --enablelocauthorize \
         --enablekrb5 \
         --krb5realm={AD Domain Name} \
         --enablekrb5kdcdns --enablekrb5realmdns --update

This makes the necessary changes to /etc/krb5.conf, /etc/ and
/etc/nsswitch.conf.  I am NOT using this for user information, just
password authentication, so I add user accounts for each authorized
user.

You can also consider using the --disablesysnetauth flag, which disables
authenticating "system" accounts via the network services and forces
them to use local authorization.  This should prevent entries in the AD
for "root" and other system accounts from being used.

Hope that helps!
--
Jay Leafey - Memphis, TN
jay.leafey at mindless.com

More information about the CentOS mailing list