I've updated my kickstart configuration files to work with CentOS 6 and am most of the way there integrating a CentOS 6 system into our LDAP/NIS environment. My authconfig line in the kickstart file is as follows:
authconfig --enablemd5 --passalgo=sha512 --enablenis --nisdomain=XXX --nisserver=nis.XXX.com --useshadow --enablekrb5 --krb5realm=XXX.COM --krb5kdc=ldap.XXX.com --krb5adminserver=ldap.XXX.com
This is virtually identical to the authconfig line I was using in CentOS 5. My issue is that users cannot log in with their network (NIS) usernames and passwords.
If I log in as root, I can do a "su - username" and get the user's automounted home directory with the correct uid/gid, but if I try to log in as the user, or do a "su - username" as a non-root user and have to enter the password, authentication always fails.
The entries in /var/log/secure just say "su: pam_unix(su-l:auth): authentication failure". I'm not a pam expert and don't know how to debug this. Anyone else run into this and/or know what might be the problem? This works just fine in CentOS 5.
Alfred
Are they logging in locally or via SSH?
If they are logging in via SSH you can probably increase the verbosity of that and SSH usually has some pretty great messages.
On Thu, Aug 25, 2011 at 11:49 AM, Alfred von Campe alfred@von-campe.comwrote:
I've updated my kickstart configuration files to work with CentOS 6 and am most of the way there integrating a CentOS 6 system into our LDAP/NIS environment. My authconfig line in the kickstart file is as follows:
authconfig --enablemd5 --passalgo=sha512 --enablenis --nisdomain=XXX --nisserver=nis.XXX.com --useshadow --enablekrb5 --krb5realm=XXX.COM--krb5kdc= ldap.XXX.com --krb5adminserver=ldap.XXX.com
This is virtually identical to the authconfig line I was using in CentOS 5. My issue is that users cannot log in with their network (NIS) usernames and passwords.
If I log in as root, I can do a "su - username" and get the user's automounted home directory with the correct uid/gid, but if I try to log in as the user, or do a "su - username" as a non-root user and have to enter the password, authentication always fails.
The entries in /var/log/secure just say "su: pam_unix(su-l:auth): authentication failure". I'm not a pam expert and don't know how to debug this. Anyone else run into this and/or know what might be the problem? This works just fine in CentOS 5.
Alfred
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Aug 26, 2011, at 9:18, Steven Crothers wrote:
Are they logging in locally or via SSH?
Locally. Remote logins via ssh work just fine as the home directory is auto-mounted and ssh can find its keys.
I think I solved the problem, but am out of the office today to fully test it. It involved setting the default realm and adding some encryption types to the /etc/krb5.conf file. What I still don't understand is what has changed in CentOS 6 that causes a kickstarted system not to be able to authenticate users whereas a CentOS 5 system can. I need to do a few more installs to track down the root cause, and then I'll post an update here.
Alfred
On Aug 26, 2011, at 9:26, I wrote:
I think I solved the problem, but am out of the office today to fully test it. It involved setting the default realm and adding some encryption types to the /etc/krb5.conf file. What I still don't understand is what has changed in CentOS 6 that causes a kickstarted system not to be able to authenticate users whereas a CentOS 5 system can. I need to do a few more installs to track down the root cause, and then I'll post an update here.
I needed the following lines in the [libdefaults] section of the /etc/krb5.conf to let users authenticate against our Windows AD backend:
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc des3-cbc-sha1 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc des3-cbc-sha1 permitted_enctypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc des3-cbc-sha1
whereas in CentOS 5 I only needed the following:
default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5
I think I only needed to add the first encryption type to get it to work, but I left them all in for now. I hope this helps someone else in the future if they run into something similar.
Alfred
-
Alfred von Campe -
Steven Crothers