[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?

Sun Apr 10 15:47:08 UTC 2011
Alain Péan <alain.pean at lpp.polytechnique.fr>

Le 10/04/2011 17:31, Alain Péan a écrit :
> Hi all,
>
> I just upgraded more servers, and doing some tests I found that my setup
> for kerberos/ldap authentication against Active Directory is no more
> working. I don't know why...
> I followed some times ago scott Lowe blog for this setup :
> http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/
>
> And it was working correctly until the upgrade. What is curious is that
> id command and getent passwd works correctly :
> # id pean
> uid=9808(pean) gid=5027(ida)
> groupes=5027(ida),10(wheel),100(users),5024(info)
>
> # getent passwd |grep pean
> pean:*:9808:5027:pean:/home/pean:/bin/bash
>
> 'pean' es an AD account. But when I try to autenticate, even locally :
>
> So LDAP is correctly found. It is the password that seems problematic...
>
> ]$ su - pean
> Mot de passe :
> Mot de passe :
> su: incorrect password
>
> Here is the content of my system-auth-ac pam module :
> ]$ cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth     required   pam_env.so
> auth     sufficient pam_unix.so likeauth nullok
> auth     sufficient pam_krb5.so
> auth     required   pam_deny.so
>
> account  sufficient pam_unix.so
> account  sufficient pam_krb5.so
> account  sufficient pam_succeed_if.so uid<  100 quiet
> account  required   pam_deny.so
>
> password requisite  pam_cracklib.so retry=3
> password sufficient pam_unix.so nullok use_authtok md5 shadow
> password  required  pam_deny.so
>
> session  required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session  required   pam_limits.so
> session  required   pam_unix.so
>
> Has anyone an idea where to look ? I noticed that 5.6 introduced sssd,
> and I know that in RHEL 6.0 TLS/SSL authentication is mandatory for LDAP
> authentication...
>
> Thans for the help.
>
> Alain

After further verification, it seems to be related to ticket granting. 
Here is what I have in /var/log/messages :
su: pam_krb5[7200]: TGT failed verification using keytab and key for 
'host/bardeen.lab-lpp.local at LAB-LPP.LOCAL': Cannot find ticket for 
requested realm

Alain

-- 
==========================================================
Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33
==========================================================