[CentOS] Kerberos integration in directory server

Wed Jan 27 12:29:03 UTC 2010
nimmermehr at chello.at <nimmermehr at chello.at>

> > -----Original Message-----
>> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
>> Behalf Of nimmermehr at chello.at
>> Sent: Tuesday, January 26, 2010 6:23 AM
>> To: centos at centos.org
>> Subject: [CentOS] Kerberos integration in directory server
>> 
>> Hi,
>> 
>> Got some issues regarding Kerberos and Directory Server and hope someone
>> can help me out.
>> Used these for the configiruation :
>> http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html
>> http://www.redhat.com/docs/manuals/dir-server/8.1/install/index.html
>> 
>> Server : CentOS 5.4 with Kerberos and Directory Server installed
>> Client : CentOS 5.4
>> 
>> I use putty to connect to the client, which authenticates against the
>> server.
>> Using Kerberos or LDAP worked perfectly (using system-config-
>> authentication on the client for configuration)
>> 
>> The only thing that doesn't seem to work is the kerberized version of the
>> login via LDAP on the directory Server. Shouldn't I get a Kerberos ticket
>> for that ? If I activate kerberos AND ldap in system-config-authentication
>> it fails :
>> 
>> Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): check pass; user
>> unknown
>> Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
>> Jan 25 13:24:59 monarch sshd[3947]: pam_succeed_if(sshd:auth): error
>> retrieving information about user testuser
>> Jan 25 13:25:01 monarch sshd[3947]: Failed password for invalid user
>> testuser from 192.168.0.1 port 1142 ssh2
>> 
>> I followed the instructions here :
>> http://directory.fedoraproject.org/wiki/Howto:Kerberos
>> 
>> Maybe I just didn't get it ;)
>> 
>> Thanks in advance,
>> 
>> Peter
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos

>My setup is a tad different than yours in that I integrated MIT Kerberos with OpenLDAP. While our configurations are different I'm sure >you're trying for kerberized logins (System authenticates against Kerberos and pulls account information from LDAP). If so here are >some items you may want to verify you have included in your system-auth config file.

>Auth	sufficient	pam_krb5.so use_first_pass
>Auth	sufficient	pam_unix.so nullok try_first_pass

>Account sufficient	pam_ldap.so
>Account required		pam_unix.so

>Password sufficient pam_krb5.so
>Password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authok

>Session	optional	pam_keyinit.so revoke
>Session	optional	pam_krb5.so	

>Dan

Just to see if I understood it correctly :
It is mandatory that every LDAP-User has a functional Kerberos-login (user and PW). Is it possible for such a user to access a server that only has ldap for authentication and checks against the LDAP-Server ?

About testing : How can I check if the information is pulled out of ldap ? 

Thanks in advance :)

Peter