Le 12/04/2011 16:28, John Hodrien a écrit : > On Tue, 12 Apr 2011, Alain Péan wrote: > >> Sorrry, little error with the output of klit -ke, because I am testing >> on a test AD domain at this moment. On the first machine, output is : >> # klist -ke >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> >> 2 host/appleton.lab-lpp.local at LAB-LPP.LOCAL (DES cbc mode with >> CRC-32) >> 2 host/appleton.lab-lpp.local at LAB-LPP.LOCAL (DES cbc mode with >> RSA-MD5) >> 2 host/appleton.lab-lpp.local at LAB-LPP.LOCAL (ArcFour with HMAC/md5) >> 2 host/appleton at LAB-LPP.LOCAL (DES cbc mode with CRC-32) >> 2 host/appleton at LAB-LPP.LOCAL (DES cbc mode with RSA-MD5) >> 2 host/appleton at LAB-LPP.LOCAL (ArcFour with HMAC/md5) >> 2 APPLETON$@LAB-LPP.LOCAL (DES cbc mode with CRC-32) >> 2 APPLETON$@LAB-LPP.LOCAL (DES cbc mode with RSA-MD5) >> 2 APPLETON$@LAB-LPP.LOCAL (ArcFour with HMAC/md5) > > You're still lightly mixing machines though, as your error before > referred to > 'bardeen' not appleton. I'm not certain that I've seen a complete > picture > here. > > I think disabling validate would still get you back to your old > behaviour, but > that there's something wrong with the keytabs on these machines. > > jh John, Thanks for your hint. You are true that error message and 'klist -ke' come from different servers. In fact, I solved the problem using the authconfig command, but I wonder if it is really correct, as I mixed kerberos and ldap. Here is the authconfig command for my test domain : # authconfig --enablekrb5 --krb5kdc=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local --krb5adminserver=pc-2003-test.test-lpp.local --krb5realm=TEST-LPP.LOCAL --enablekrb5kdcdns --enablekrb5realmdns --enableldap --enableldapauth --ldapserver=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local --ldapbasedn="dc=test-lpp,dc=local" --enablemkhomedir --update My /etc/krb5.conf is then the following : ]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5lib.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = TEST-LPP.LOCAL default_tk_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = true dns_lookup_kdc = true [realms] TEST-LPP.LOCAL = { kdc = pc-2003-test.test-lpp.local kdc = dc1-test.test-lpp.local admin_server = pc-2003-test.test-lpp.local default_domain = TEST-LPP.LOCAL kpasswd_server = pc-2003-test.test-lpp.local kdc = * } [domain_realm] .test-lpp.local = TEST-LPP.LOCAL test-lpp.local = TEST-LPP.LOCAL [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } But both kerberos and ldap appear in /etc/pam.d/system-auth-ac : # cat /etc/pam.d/system-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_ldap.so I tried to remove the lines with pam_ldap.so and adding in /etc/krb5.conf, as you suggested : [appdefaults] pam = { novalidate = true } But it failed. With the authconfig configuration, I can authenticate against Active Directory. So, it works now, but I am not sure it is completly correct. Thanks for your help ! Alain -- ========================================================== Alain Péan - LPP/CNRS Administrateur Système/Réseau Laboratoire de Physique des Plasmas - UMR 7648 Observatoire de Saint-Maur 4, av de Neptune, Bat. A 94100 Saint-Maur des Fossés Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33 ==========================================================