Le 12/04/2011 18:29, John Hodrien a écrit :
On Tue, 12 Apr 2011, Alain Péan wrote:
In fact, I solved the problem using the authconfig command, but I wonder if it is really correct, as I mixed kerberos and ldap. Here is the authconfig command for my test domain :
Using kerberos and ldap is a perfectly reasonable thing to want to do, but you need to be sure you're doing what you want.
# authconfig --enablekrb5 --krb5kdc=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local --krb5adminserver=pc-2003-test.test-lpp.local --krb5realm=TEST-LPP.LOCAL --enablekrb5kdcdns --enablekrb5realmdns --enableldap --enableldapauth --ldapserver=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local --ldapbasedn="dc=test-lpp,dc=local" --enablemkhomedir --update
I'd have thought you want kerberos authentication and ldap user information. --enableldapauth I suspect is wrong. You've switched your kerberos REALM from the original file you mailed.
My /etc/krb5.conf is then the following : ]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5lib.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] ticket_lifetime = 24000 default_realm = TEST-LPP.LOCAL default_tk_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = true dns_lookup_kdc = true
[realms] TEST-LPP.LOCAL = { kdc = pc-2003-test.test-lpp.local kdc = dc1-test.test-lpp.local admin_server = pc-2003-test.test-lpp.local default_domain = TEST-LPP.LOCAL kpasswd_server = pc-2003-test.test-lpp.local kdc = * }
[domain_realm] .test-lpp.local = TEST-LPP.LOCAL test-lpp.local = TEST-LPP.LOCAL
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
That now looks plausible given what you mailed for the keytab (i.e. the realms match now).
But both kerberos and ldap appear in /etc/pam.d/system-auth-ac :
That's because you enabled ldap auth. You probably don't want that.
I tried to remove the lines with pam_ldap.so and adding in /etc/krb5.conf, as you suggested : [appdefaults] pam = { novalidate = true }
But it failed.
Assuming the keytab setup is the same is was before, you shouldn't need to bother with that. I think it should have been validate = false rather than novalidate = true, I'd misunderstood the manpage.
But if you leave that off, what fails now?
jh
Indeed, nothing fails now. I want my users to authenticate against Active directory, and it works, and I would like them to be able to use their kerberos credentials, if they need, to access domain ressources, as shares. But I have still to see a problem there..
Thanks again for your help and your comments !
Alain