Le 10/04/2011 17:31, Alain Péan a écrit : > Hi all, > > I just upgraded more servers, and doing some tests I found that my setup > for kerberos/ldap authentication against Active Directory is no more > working. I don't know why... > I followed some times ago scott Lowe blog for this setup : > http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/ > > And it was working correctly until the upgrade. What is curious is that > id command and getent passwd works correctly : > # id pean > uid=9808(pean) gid=5027(ida) > groupes=5027(ida),10(wheel),100(users),5024(info) > > # getent passwd |grep pean > pean:*:9808:5027:pean:/home/pean:/bin/bash > > 'pean' es an AD account. But when I try to autenticate, even locally : > > So LDAP is correctly found. It is the password that seems problematic... > > ]$ su - pean > Mot de passe : > Mot de passe : > su: incorrect password > > Here is the content of my system-auth-ac pam module : > ]$ cat /etc/pam.d/system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so likeauth nullok > auth sufficient pam_krb5.so > auth required pam_deny.so > > account sufficient pam_unix.so > account sufficient pam_krb5.so > account sufficient pam_succeed_if.so uid< 100 quiet > account required pam_deny.so > > password requisite pam_cracklib.so retry=3 > password sufficient pam_unix.so nullok use_authtok md5 shadow > password required pam_deny.so > > session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 > session required pam_limits.so > session required pam_unix.so > > Has anyone an idea where to look ? I noticed that 5.6 introduced sssd, > and I know that in RHEL 6.0 TLS/SSL authentication is mandatory for LDAP > authentication... > > Thans for the help. > > Alain After further verification, it seems to be related to ticket granting. Here is what I have in /var/log/messages : su: pam_krb5[7200]: TGT failed verification using keytab and key for 'host/bardeen.lab-lpp.local at LAB-LPP.LOCAL': Cannot find ticket for requested realm Alain -- ========================================================== Alain Péan - LPP/CNRS Administrateur Système/Réseau Laboratoire de Physique des Plasmas - UMR 7648 Observatoire de Saint-Maur 4, av de Neptune, Bat. A 94100 Saint-Maur des Fossés Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33 ==========================================================