[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?
Alain Péan
alain.pean at lpp.polytechnique.fr
Tue Apr 12 16:49:07 UTC 2011
Le 12/04/2011 18:29, John Hodrien a écrit :
> On Tue, 12 Apr 2011, Alain Péan wrote:
>
>> In fact, I solved the problem using the authconfig command, but I wonder
>> if it is really correct, as I mixed kerberos and ldap. Here is the
>> authconfig command for my test domain :
>
> Using kerberos and ldap is a perfectly reasonable thing to want to do,
> but you
> need to be sure you're doing what you want.
>
>> # authconfig --enablekrb5
>> --krb5kdc=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local
>> --krb5adminserver=pc-2003-test.test-lpp.local --krb5realm=TEST-LPP.LOCAL
>> --enablekrb5kdcdns --enablekrb5realmdns --enableldap --enableldapauth
>> --ldapserver=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local
>> --ldapbasedn="dc=test-lpp,dc=local" --enablemkhomedir --update
>
> I'd have thought you want kerberos authentication and ldap user
> information.
> --enableldapauth I suspect is wrong. You've switched your kerberos
> REALM from
> the original file you mailed.
>
>> My /etc/krb5.conf is then the following :
>> ]# cat /etc/krb5.conf
>> [logging]
>> default = FILE:/var/log/krb5lib.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> ticket_lifetime = 24000
>> default_realm = TEST-LPP.LOCAL
>> default_tk_enctypes = des3-hmac-sha1 des-cbc-crc
>> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>>
>> [realms]
>> TEST-LPP.LOCAL = {
>> kdc = pc-2003-test.test-lpp.local
>> kdc = dc1-test.test-lpp.local
>> admin_server = pc-2003-test.test-lpp.local
>> default_domain = TEST-LPP.LOCAL
>> kpasswd_server = pc-2003-test.test-lpp.local
>> kdc = *
>> }
>>
>> [domain_realm]
>> .test-lpp.local = TEST-LPP.LOCAL
>> test-lpp.local = TEST-LPP.LOCAL
>>
>> [kdc]
>> profile = /var/kerberos/krb5kdc/kdc.conf
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>
> That now looks plausible given what you mailed for the keytab (i.e.
> the realms
> match now).
>
>> But both kerberos and ldap appear in /etc/pam.d/system-auth-ac :
>
> That's because you enabled ldap auth. You probably don't want that.
>
>> I tried to remove the lines with pam_ldap.so and adding in
>> /etc/krb5.conf, as you suggested :
>> [appdefaults]
>> pam = {
>> novalidate = true
>> }
>>
>> But it failed.
>
> Assuming the keytab setup is the same is was before, you shouldn't
> need to
> bother with that. I think it should have been validate = false rather
> than
> novalidate = true, I'd misunderstood the manpage.
>
> But if you leave that off, what fails now?
>
> jh
>
Indeed, nothing fails now. I want my users to authenticate against
Active directory, and it works, and I would like them to be able to use
their kerberos credentials, if they need, to access domain ressources,
as shares. But I have still to see a problem there..
Thanks again for your help and your comments !
Alain
--
==========================================================
Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33
==========================================================
More information about the CentOS
mailing list