[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?

Sun Apr 10 15:31:07 UTC 2011
Alain Péan <alain.pean at lpp.polytechnique.fr>

Hi all,

I just upgraded more servers, and doing some tests I found that my setup 
for kerberos/ldap authentication against Active Directory is no more 
working. I don't know why...
I followed some times ago scott Lowe blog for this setup :

And it was working correctly until the upgrade. What is curious is that 
id command and getent passwd works correctly :
# id pean
uid=9808(pean) gid=5027(ida) 

# getent passwd |grep pean

'pean' es an AD account. But when I try to autenticate, even locally :

So LDAP is correctly found. It is the password that seems problematic...

]$ su - pean
Mot de passe :
Mot de passe :
su: incorrect password

Here is the content of my system-auth-ac pam module :
]$ cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth     required   pam_env.so
auth     sufficient pam_unix.so likeauth nullok
auth     sufficient pam_krb5.so
auth     required   pam_deny.so

account  sufficient pam_unix.so
account  sufficient pam_krb5.so
account  sufficient pam_succeed_if.so uid < 100 quiet
account  required   pam_deny.so

password requisite  pam_cracklib.so retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password  required  pam_deny.so

session  required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
session  required   pam_limits.so
session  required   pam_unix.so

Has anyone an idea where to look ? I noticed that 5.6 introduced sssd, 
and I know that in RHEL 6.0 TLS/SSL authentication is mandatory for LDAP 

Thans for the help.


Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33