[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?

Tue Apr 12 16:29:32 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Tue, 12 Apr 2011, Alain Péan wrote:

> In fact, I solved the problem using the authconfig command, but I wonder
> if it is really correct, as I mixed kerberos and ldap. Here is the
> authconfig command for my test domain :

Using kerberos and ldap is a perfectly reasonable thing to want to do, but you
need to be sure you're doing what you want.

> # authconfig --enablekrb5
> --krb5kdc=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local
> --krb5adminserver=pc-2003-test.test-lpp.local --krb5realm=TEST-LPP.LOCAL
> --enablekrb5kdcdns --enablekrb5realmdns --enableldap --enableldapauth
> --ldapserver=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local
> --ldapbasedn="dc=test-lpp,dc=local" --enablemkhomedir --update

I'd have thought you want kerberos authentication and ldap user information.
--enableldapauth I suspect is wrong.  You've switched your kerberos REALM from
the original file you mailed.

> My /etc/krb5.conf is then the following :
> ]# cat /etc/krb5.conf
> [logging]
>     default = FILE:/var/log/krb5lib.log
>     kdc = FILE:/var/log/krb5kdc.log
>     admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>     ticket_lifetime = 24000
>     default_realm = TEST-LPP.LOCAL
>     default_tk_enctypes = des3-hmac-sha1 des-cbc-crc
>     default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>     dns_lookup_realm = true
>     dns_lookup_kdc = true
>
> [realms]
>     TEST-LPP.LOCAL = {
>         kdc = pc-2003-test.test-lpp.local
>         kdc = dc1-test.test-lpp.local
>         admin_server = pc-2003-test.test-lpp.local
>         default_domain = TEST-LPP.LOCAL
>         kpasswd_server = pc-2003-test.test-lpp.local
>         kdc = *
>     }
>
> [domain_realm]
>     .test-lpp.local = TEST-LPP.LOCAL
>     test-lpp.local = TEST-LPP.LOCAL
>
> [kdc]
>     profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }

That now looks plausible given what you mailed for the keytab (i.e. the realms
match now).

> But both kerberos and ldap appear in /etc/pam.d/system-auth-ac :

That's because you enabled ldap auth.  You probably don't want that.

> I tried to remove the lines with pam_ldap.so and adding in
> /etc/krb5.conf, as you suggested :
> [appdefaults]
>  pam = {
>    novalidate = true
>  }
>
> But it failed.

Assuming the keytab setup is the same is was before, you shouldn't need to
bother with that.  I think it should have been validate = false rather than
novalidate = true, I'd misunderstood the manpage.

But if you leave that off, what fails now?

jh