Le 12/04/2011 18:29, John Hodrien a écrit : > On Tue, 12 Apr 2011, Alain Péan wrote: > >> In fact, I solved the problem using the authconfig command, but I wonder >> if it is really correct, as I mixed kerberos and ldap. Here is the >> authconfig command for my test domain : > > Using kerberos and ldap is a perfectly reasonable thing to want to do, > but you > need to be sure you're doing what you want. > >> # authconfig --enablekrb5 >> --krb5kdc=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local >> --krb5adminserver=pc-2003-test.test-lpp.local --krb5realm=TEST-LPP.LOCAL >> --enablekrb5kdcdns --enablekrb5realmdns --enableldap --enableldapauth >> --ldapserver=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local >> --ldapbasedn="dc=test-lpp,dc=local" --enablemkhomedir --update > > I'd have thought you want kerberos authentication and ldap user > information. > --enableldapauth I suspect is wrong. You've switched your kerberos > REALM from > the original file you mailed. > >> My /etc/krb5.conf is then the following : >> ]# cat /etc/krb5.conf >> [logging] >> default = FILE:/var/log/krb5lib.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> ticket_lifetime = 24000 >> default_realm = TEST-LPP.LOCAL >> default_tk_enctypes = des3-hmac-sha1 des-cbc-crc >> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc >> dns_lookup_realm = true >> dns_lookup_kdc = true >> >> [realms] >> TEST-LPP.LOCAL = { >> kdc = pc-2003-test.test-lpp.local >> kdc = dc1-test.test-lpp.local >> admin_server = pc-2003-test.test-lpp.local >> default_domain = TEST-LPP.LOCAL >> kpasswd_server = pc-2003-test.test-lpp.local >> kdc = * >> } >> >> [domain_realm] >> .test-lpp.local = TEST-LPP.LOCAL >> test-lpp.local = TEST-LPP.LOCAL >> >> [kdc] >> profile = /var/kerberos/krb5kdc/kdc.conf >> >> [appdefaults] >> pam = { >> debug = false >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = true >> krb4_convert = false >> } > > That now looks plausible given what you mailed for the keytab (i.e. > the realms > match now). > >> But both kerberos and ldap appear in /etc/pam.d/system-auth-ac : > > That's because you enabled ldap auth. You probably don't want that. > >> I tried to remove the lines with pam_ldap.so and adding in >> /etc/krb5.conf, as you suggested : >> [appdefaults] >> pam = { >> novalidate = true >> } >> >> But it failed. > > Assuming the keytab setup is the same is was before, you shouldn't > need to > bother with that. I think it should have been validate = false rather > than > novalidate = true, I'd misunderstood the manpage. > > But if you leave that off, what fails now? > > jh > Indeed, nothing fails now. I want my users to authenticate against Active directory, and it works, and I would like them to be able to use their kerberos credentials, if they need, to access domain ressources, as shares. But I have still to see a problem there.. Thanks again for your help and your comments ! Alain -- ========================================================== Alain Péan - LPP/CNRS Administrateur Système/Réseau Laboratoire de Physique des Plasmas - UMR 7648 Observatoire de Saint-Maur 4, av de Neptune, Bat. A 94100 Saint-Maur des Fossés Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33 ==========================================================