Le 10/04/2011 17:31, Alain Péan a écrit :
Hi all,
I just upgraded more servers, and doing some tests I found that my setup for kerberos/ldap authentication against Active Directory is no more working. I don't know why... I followed some times ago scott Lowe blog for this setup : http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/
And it was working correctly until the upgrade. What is curious is that id command and getent passwd works correctly : # id pean uid=9808(pean) gid=5027(ida) groupes=5027(ida),10(wheel),100(users),5024(info)
# getent passwd |grep pean pean:*:9808:5027:pean:/home/pean:/bin/bash
'pean' es an AD account. But when I try to autenticate, even locally :
So LDAP is correctly found. It is the password that seems problematic...
]$ su - pean Mot de passe : Mot de passe : su: incorrect password
Here is the content of my system-auth-ac pam module : ]$ cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_krb5.so auth required pam_deny.so
account sufficient pam_unix.so account sufficient pam_krb5.so account sufficient pam_succeed_if.so uid< 100 quiet account required pam_deny.so
password requisite pam_cracklib.so retry=3 password sufficient pam_unix.so nullok use_authtok md5 shadow password required pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session required pam_unix.so
Has anyone an idea where to look ? I noticed that 5.6 introduced sssd, and I know that in RHEL 6.0 TLS/SSL authentication is mandatory for LDAP authentication...
Thans for the help.
Alain
After further verification, it seems to be related to ticket granting. Here is what I have in /var/log/messages : su: pam_krb5[7200]: TGT failed verification using keytab and key for 'host/bardeen.lab-lpp.local@LAB-LPP.LOCAL': Cannot find ticket for requested realm
Alain