[CentOS] Kerberos integration in directory server
nimmermehr at chello.at
nimmermehr at chello.at
Wed Jan 27 12:29:03 UTC 2010
> > -----Original Message-----
>> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
>> Behalf Of nimmermehr at chello.at
>> Sent: Tuesday, January 26, 2010 6:23 AM
>> To: centos at centos.org
>> Subject: [CentOS] Kerberos integration in directory server
>>
>> Hi,
>>
>> Got some issues regarding Kerberos and Directory Server and hope someone
>> can help me out.
>> Used these for the configiruation :
>> http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html
>> http://www.redhat.com/docs/manuals/dir-server/8.1/install/index.html
>>
>> Server : CentOS 5.4 with Kerberos and Directory Server installed
>> Client : CentOS 5.4
>>
>> I use putty to connect to the client, which authenticates against the
>> server.
>> Using Kerberos or LDAP worked perfectly (using system-config-
>> authentication on the client for configuration)
>>
>> The only thing that doesn't seem to work is the kerberized version of the
>> login via LDAP on the directory Server. Shouldn't I get a Kerberos ticket
>> for that ? If I activate kerberos AND ldap in system-config-authentication
>> it fails :
>>
>> Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): check pass; user
>> unknown
>> Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
>> Jan 25 13:24:59 monarch sshd[3947]: pam_succeed_if(sshd:auth): error
>> retrieving information about user testuser
>> Jan 25 13:25:01 monarch sshd[3947]: Failed password for invalid user
>> testuser from 192.168.0.1 port 1142 ssh2
>>
>> I followed the instructions here :
>> http://directory.fedoraproject.org/wiki/Howto:Kerberos
>>
>> Maybe I just didn't get it ;)
>>
>> Thanks in advance,
>>
>> Peter
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>My setup is a tad different than yours in that I integrated MIT Kerberos with OpenLDAP. While our configurations are different I'm sure >you're trying for kerberized logins (System authenticates against Kerberos and pulls account information from LDAP). If so here are >some items you may want to verify you have included in your system-auth config file.
>Auth sufficient pam_krb5.so use_first_pass
>Auth sufficient pam_unix.so nullok try_first_pass
>Account sufficient pam_ldap.so
>Account required pam_unix.so
>Password sufficient pam_krb5.so
>Password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authok
>Session optional pam_keyinit.so revoke
>Session optional pam_krb5.so
>Dan
Just to see if I understood it correctly :
It is mandatory that every LDAP-User has a functional Kerberos-login (user and PW). Is it possible for such a user to access a server that only has ldap for authentication and checks against the LDAP-Server ?
About testing : How can I check if the information is pulled out of ldap ?
Thanks in advance :)
Peter
More information about the CentOS
mailing list