[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?
Alain Péan
alain.pean at lpp.polytechnique.fr
Tue Apr 12 16:19:24 UTC 2011
Le 12/04/2011 16:28, John Hodrien a écrit :
> On Tue, 12 Apr 2011, Alain Péan wrote:
>
>> Sorrry, little error with the output of klit -ke, because I am testing
>> on a test AD domain at this moment. On the first machine, output is :
>> # klist -ke
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>>
>> 2 host/appleton.lab-lpp.local at LAB-LPP.LOCAL (DES cbc mode with
>> CRC-32)
>> 2 host/appleton.lab-lpp.local at LAB-LPP.LOCAL (DES cbc mode with
>> RSA-MD5)
>> 2 host/appleton.lab-lpp.local at LAB-LPP.LOCAL (ArcFour with HMAC/md5)
>> 2 host/appleton at LAB-LPP.LOCAL (DES cbc mode with CRC-32)
>> 2 host/appleton at LAB-LPP.LOCAL (DES cbc mode with RSA-MD5)
>> 2 host/appleton at LAB-LPP.LOCAL (ArcFour with HMAC/md5)
>> 2 APPLETON$@LAB-LPP.LOCAL (DES cbc mode with CRC-32)
>> 2 APPLETON$@LAB-LPP.LOCAL (DES cbc mode with RSA-MD5)
>> 2 APPLETON$@LAB-LPP.LOCAL (ArcFour with HMAC/md5)
>
> You're still lightly mixing machines though, as your error before
> referred to
> 'bardeen' not appleton. I'm not certain that I've seen a complete
> picture
> here.
>
> I think disabling validate would still get you back to your old
> behaviour, but
> that there's something wrong with the keytabs on these machines.
>
> jh
John,
Thanks for your hint. You are true that error message and 'klist -ke'
come from different servers.
In fact, I solved the problem using the authconfig command, but I wonder
if it is really correct, as I mixed kerberos and ldap. Here is the
authconfig command for my test domain :
# authconfig --enablekrb5
--krb5kdc=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local
--krb5adminserver=pc-2003-test.test-lpp.local --krb5realm=TEST-LPP.LOCAL
--enablekrb5kdcdns --enablekrb5realmdns --enableldap --enableldapauth
--ldapserver=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local
--ldapbasedn="dc=test-lpp,dc=local" --enablemkhomedir --update
My /etc/krb5.conf is then the following :
]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5lib.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = TEST-LPP.LOCAL
default_tk_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
TEST-LPP.LOCAL = {
kdc = pc-2003-test.test-lpp.local
kdc = dc1-test.test-lpp.local
admin_server = pc-2003-test.test-lpp.local
default_domain = TEST-LPP.LOCAL
kpasswd_server = pc-2003-test.test-lpp.local
kdc = *
}
[domain_realm]
.test-lpp.local = TEST-LPP.LOCAL
test-lpp.local = TEST-LPP.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
But both kerberos and ldap appear in /etc/pam.d/system-auth-ac :
# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session optional pam_ldap.so
I tried to remove the lines with pam_ldap.so and adding in
/etc/krb5.conf, as you suggested :
[appdefaults]
pam = {
novalidate = true
}
But it failed.
With the authconfig configuration, I can authenticate against Active
Directory.
So, it works now, but I am not sure it is completly correct.
Thanks for your help !
Alain
--
==========================================================
Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33
==========================================================
More information about the CentOS
mailing list