> > -----Original Message----- >> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On >> Behalf Of nimmermehr at chello.at >> Sent: Tuesday, January 26, 2010 6:23 AM >> To: centos at centos.org >> Subject: [CentOS] Kerberos integration in directory server >> >> Hi, >> >> Got some issues regarding Kerberos and Directory Server and hope someone >> can help me out. >> Used these for the configiruation : >> http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html >> http://www.redhat.com/docs/manuals/dir-server/8.1/install/index.html >> >> Server : CentOS 5.4 with Kerberos and Directory Server installed >> Client : CentOS 5.4 >> >> I use putty to connect to the client, which authenticates against the >> server. >> Using Kerberos or LDAP worked perfectly (using system-config- >> authentication on the client for configuration) >> >> The only thing that doesn't seem to work is the kerberized version of the >> login via LDAP on the directory Server. Shouldn't I get a Kerberos ticket >> for that ? If I activate kerberos AND ldap in system-config-authentication >> it fails : >> >> Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): check pass; user >> unknown >> Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): authentication >> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1 >> Jan 25 13:24:59 monarch sshd[3947]: pam_succeed_if(sshd:auth): error >> retrieving information about user testuser >> Jan 25 13:25:01 monarch sshd[3947]: Failed password for invalid user >> testuser from 192.168.0.1 port 1142 ssh2 >> >> I followed the instructions here : >> http://directory.fedoraproject.org/wiki/Howto:Kerberos >> >> Maybe I just didn't get it ;) >> >> Thanks in advance, >> >> Peter >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos >My setup is a tad different than yours in that I integrated MIT Kerberos with OpenLDAP. While our configurations are different I'm sure >you're trying for kerberized logins (System authenticates against Kerberos and pulls account information from LDAP). If so here are >some items you may want to verify you have included in your system-auth config file. >Auth sufficient pam_krb5.so use_first_pass >Auth sufficient pam_unix.so nullok try_first_pass >Account sufficient pam_ldap.so >Account required pam_unix.so >Password sufficient pam_krb5.so >Password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authok >Session optional pam_keyinit.so revoke >Session optional pam_krb5.so >Dan Just to see if I understood it correctly : It is mandatory that every LDAP-User has a functional Kerberos-login (user and PW). Is it possible for such a user to access a server that only has ldap for authentication and checks against the LDAP-Server ? About testing : How can I check if the information is pulled out of ldap ? Thanks in advance :) Peter