[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?
John Hodrien
J.H.Hodrien at leeds.ac.uk
Tue Apr 12 16:29:32 UTC 2011
On Tue, 12 Apr 2011, Alain Péan wrote:
> In fact, I solved the problem using the authconfig command, but I wonder
> if it is really correct, as I mixed kerberos and ldap. Here is the
> authconfig command for my test domain :
Using kerberos and ldap is a perfectly reasonable thing to want to do, but you
need to be sure you're doing what you want.
> # authconfig --enablekrb5
> --krb5kdc=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local
> --krb5adminserver=pc-2003-test.test-lpp.local --krb5realm=TEST-LPP.LOCAL
> --enablekrb5kdcdns --enablekrb5realmdns --enableldap --enableldapauth
> --ldapserver=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local
> --ldapbasedn="dc=test-lpp,dc=local" --enablemkhomedir --update
I'd have thought you want kerberos authentication and ldap user information.
--enableldapauth I suspect is wrong. You've switched your kerberos REALM from
the original file you mailed.
> My /etc/krb5.conf is then the following :
> ]# cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5lib.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = TEST-LPP.LOCAL
> default_tk_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
> dns_lookup_realm = true
> dns_lookup_kdc = true
>
> [realms]
> TEST-LPP.LOCAL = {
> kdc = pc-2003-test.test-lpp.local
> kdc = dc1-test.test-lpp.local
> admin_server = pc-2003-test.test-lpp.local
> default_domain = TEST-LPP.LOCAL
> kpasswd_server = pc-2003-test.test-lpp.local
> kdc = *
> }
>
> [domain_realm]
> .test-lpp.local = TEST-LPP.LOCAL
> test-lpp.local = TEST-LPP.LOCAL
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
That now looks plausible given what you mailed for the keytab (i.e. the realms
match now).
> But both kerberos and ldap appear in /etc/pam.d/system-auth-ac :
That's because you enabled ldap auth. You probably don't want that.
> I tried to remove the lines with pam_ldap.so and adding in
> /etc/krb5.conf, as you suggested :
> [appdefaults]
> pam = {
> novalidate = true
> }
>
> But it failed.
Assuming the keytab setup is the same is was before, you shouldn't need to
bother with that. I think it should have been validate = false rather than
novalidate = true, I'd misunderstood the manpage.
But if you leave that off, what fails now?
jh
More information about the CentOS
mailing list