-----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of nimmermehr at chello.at Sent: Tuesday, January 26, 2010 6:23 AM To: centos at centos.org Subject: [CentOS] Kerberos integration in directory server
Hi,
Got some issues regarding Kerberos and Directory Server and hope someone can help me out. Used these for the configiruation : http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html http://www.redhat.com/docs/manuals/dir-server/8.1/install/index.html
Server : CentOS 5.4 with Kerberos and Directory Server installed Client : CentOS 5.4
I use putty to connect to the client, which authenticates against the server. Using Kerberos or LDAP worked perfectly (using system-config- authentication on the client for configuration)
The only thing that doesn't seem to work is the kerberized version of the login via LDAP on the directory Server. Shouldn't I get a Kerberos ticket for that ? If I activate kerberos AND ldap in system-config-authentication it fails :
Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): check pass; user unknown Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1 Jan 25 13:24:59 monarch sshd[3947]: pam_succeed_if(sshd:auth): error retrieving information about user testuser Jan 25 13:25:01 monarch sshd[3947]: Failed password for invalid user testuser from 192.168.0.1 port 1142 ssh2
I followed the instructions here : http://directory.fedoraproject.org/wiki/Howto:Kerberos
Maybe I just didn't get it ;)
Thanks in advance,
Peter _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
My setup is a tad different than yours in that I integrated MIT Kerberos with OpenLDAP. While our configurations are different I'm sure >you're trying for kerberized logins (System authenticates against Kerberos and pulls account information from LDAP). If so here are >some items you may want to verify you have included in your system-auth config file.
Auth sufficient pam_krb5.so use_first_pass Auth sufficient pam_unix.so nullok try_first_pass
Account sufficient pam_ldap.so Account required pam_unix.so
Password sufficient pam_krb5.so Password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authok
Session optional pam_keyinit.so revoke Session optional pam_krb5.so
Dan
Just to see if I understood it correctly : It is mandatory that every LDAP-User has a functional Kerberos-login (user and PW). Is it possible for such a user to access a server that only has ldap for authentication and checks against the LDAP-Server ?
About testing : How can I check if the information is pulled out of ldap ?
Thanks in advance :)
Peter