Le 12/04/2011 16:28, John Hodrien a écrit :
On Tue, 12 Apr 2011, Alain Péan wrote:
Sorrry, little error with the output of klit -ke, because I am testing on a test AD domain at this moment. On the first machine, output is : # klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal
2 host/appleton.lab-lpp.local@LAB-LPP.LOCAL (DES cbc mode with CRC-32) 2 host/appleton.lab-lpp.local@LAB-LPP.LOCAL (DES cbc mode with RSA-MD5) 2 host/appleton.lab-lpp.local@LAB-LPP.LOCAL (ArcFour with HMAC/md5) 2 host/appleton@LAB-LPP.LOCAL (DES cbc mode with CRC-32) 2 host/appleton@LAB-LPP.LOCAL (DES cbc mode with RSA-MD5) 2 host/appleton@LAB-LPP.LOCAL (ArcFour with HMAC/md5) 2 APPLETON$@LAB-LPP.LOCAL (DES cbc mode with CRC-32) 2 APPLETON$@LAB-LPP.LOCAL (DES cbc mode with RSA-MD5) 2 APPLETON$@LAB-LPP.LOCAL (ArcFour with HMAC/md5)
You're still lightly mixing machines though, as your error before referred to 'bardeen' not appleton. I'm not certain that I've seen a complete picture here.
I think disabling validate would still get you back to your old behaviour, but that there's something wrong with the keytabs on these machines.
jh
John,
Thanks for your hint. You are true that error message and 'klist -ke' come from different servers.
In fact, I solved the problem using the authconfig command, but I wonder if it is really correct, as I mixed kerberos and ldap. Here is the authconfig command for my test domain :
# authconfig --enablekrb5 --krb5kdc=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local --krb5adminserver=pc-2003-test.test-lpp.local --krb5realm=TEST-LPP.LOCAL --enablekrb5kdcdns --enablekrb5realmdns --enableldap --enableldapauth --ldapserver=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local --ldapbasedn="dc=test-lpp,dc=local" --enablemkhomedir --update
My /etc/krb5.conf is then the following : ]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5lib.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] ticket_lifetime = 24000 default_realm = TEST-LPP.LOCAL default_tk_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = true dns_lookup_kdc = true
[realms] TEST-LPP.LOCAL = { kdc = pc-2003-test.test-lpp.local kdc = dc1-test.test-lpp.local admin_server = pc-2003-test.test-lpp.local default_domain = TEST-LPP.LOCAL kpasswd_server = pc-2003-test.test-lpp.local kdc = * }
[domain_realm] .test-lpp.local = TEST-LPP.LOCAL test-lpp.local = TEST-LPP.LOCAL
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
But both kerberos and ldap appear in /etc/pam.d/system-auth-ac : # cat /etc/pam.d/system-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_ldap.so
I tried to remove the lines with pam_ldap.so and adding in /etc/krb5.conf, as you suggested : [appdefaults] pam = { novalidate = true }
But it failed.
With the authconfig configuration, I can authenticate against Active Directory.
So, it works now, but I am not sure it is completly correct.
Thanks for your help !
Alain