-----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of nimmermehr at chello.at Sent: Tuesday, January 26, 2010 6:23 AM To: centos at centos.org Subject: [CentOS] Kerberos integration in directory server
Hi,
Got some issues regarding Kerberos and Directory Server and hope someone can help me out. Used these for the configiruation : http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html http://www.redhat.com/docs/manuals/dir-server/8.1/install/index.html
Server : CentOS 5.4 with Kerberos and Directory Server installed Client : CentOS 5.4
I use putty to connect to the client, which authenticates against the server. Using Kerberos or LDAP worked perfectly (using system-config- authentication on the client for configuration)
The only thing that doesn't seem to work is the kerberized version of the login via LDAP on the directory Server. Shouldn't I get a Kerberos ticket for that ? If I activate kerberos AND ldap in system-config-authentication it fails :
Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): check pass; user unknown Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1 Jan 25 13:24:59 monarch sshd[3947]: pam_succeed_if(sshd:auth): error retrieving information about user testuser Jan 25 13:25:01 monarch sshd[3947]: Failed password for invalid user testuser from 192.168.0.1 port 1142 ssh2
I followed the instructions here : http://directory.fedoraproject.org/wiki/Howto:Kerberos
Maybe I just didn't get it ;)
Thanks in advance,
Peter _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
My setup is a tad different than yours in that I integrated MIT Kerberos with OpenLDAP. While our configurations are different I'm sure >you're trying for kerberized logins (System authenticates against Kerberos and pulls account information from LDAP). If so here are >some items you may want to verify you have included in your system-auth config file.
Auth sufficient pam_krb5.so use_first_pass Auth sufficient pam_unix.so nullok try_first_pass
Account sufficient pam_ldap.so Account required pam_unix.so
Password sufficient pam_krb5.so Password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authok
Session optional pam_keyinit.so revoke Session optional pam_krb5.so
Dan
Just to see if I understood it correctly : It is mandatory that every LDAP-User has a functional Kerberos-login (user and PW). Is it possible for such a user to access a server that only has ldap for authentication and checks against the LDAP-Server ?
About testing : How can I check if the information is pulled out of ldap ?
Thanks in advance :)
Peter
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of nimmermehr@chello.at Sent: Wednesday, January 27, 2010 6:29 AM To: centos@centos.org Subject: [CentOS] Kerberos integration in directory server
-----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at
centos.org] On
Behalf Of nimmermehr at chello.at Sent: Tuesday, January 26, 2010 6:23 AM To: centos at centos.org Subject: [CentOS] Kerberos integration in directory server
Hi,
Got some issues regarding Kerberos and Directory Server and hope
someone
can help me out. Used these for the configiruation : http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-
kerberos.html
http://www.redhat.com/docs/manuals/dir-server/8.1/install/index.html
Server : CentOS 5.4 with Kerberos and Directory Server installed Client : CentOS 5.4
I use putty to connect to the client, which authenticates against the server. Using Kerberos or LDAP worked perfectly (using system-config- authentication on the client for configuration)
The only thing that doesn't seem to work is the kerberized version of
the
login via LDAP on the directory Server. Shouldn't I get a Kerberos
ticket
for that ? If I activate kerberos AND ldap in system-config-
authentication
it fails :
Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): check pass;
user
unknown Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1 Jan 25 13:24:59 monarch sshd[3947]: pam_succeed_if(sshd:auth): error retrieving information about user testuser Jan 25 13:25:01 monarch sshd[3947]: Failed password for invalid user testuser from 192.168.0.1 port 1142 ssh2
I followed the instructions here : http://directory.fedoraproject.org/wiki/Howto:Kerberos
Maybe I just didn't get it ;)
Thanks in advance,
Peter _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
My setup is a tad different than yours in that I integrated MIT Kerberos
with OpenLDAP. While our configurations are different I'm sure >you're trying for kerberized logins (System authenticates against Kerberos and pulls account information from LDAP). If so here are >some items you may want to verify you have included in your system-auth config file.
Auth sufficient pam_krb5.so use_first_pass Auth sufficient pam_unix.so nullok try_first_pass
Account sufficient pam_ldap.so Account required pam_unix.so
Password sufficient pam_krb5.so Password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authok
Session optional pam_keyinit.so revoke Session optional pam_krb5.so
Dan
Just to see if I understood it correctly : It is mandatory that every LDAP-User has a functional Kerberos-login (user and PW). Is it possible for such a user to access a server that only has ldap for authentication and checks against the LDAP-Server ?
About testing : How can I check if the information is pulled out of ldap ?
Thanks in advance :)
Peter _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
If you are utilizing Kerberos on the authentication part of the process then you need the user to exist in LDAP also as Kerberos cannot hold Unix account information (UID #, GID#, etc). I'm not too certain on where Directory Server stores its log files but you should be able to check there for lookups for "username" around the time of attempted login.
Dan
-
Dan Burkland -
nimmermehr@chello.at