[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?

Tue Apr 12 14:20:19 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Tue, 12 Apr 2011, Alain Péan wrote:

> Hi John,
>
> Thnks for your answer. Here are the content of /etc/krb5.conf and klist
> -ke. I agree that there can be siomething missing, that was working
> before...

The keytab isn't valid for the host as it doesn't contain a usable principal
for doing a validation of the KDC.  The pam_krb5 rpm has sensibly changed the
default for validate from false to true.  Try adding:

[appdefaults]
  pam = {
    novalidate = true
  }

I /think/ that'd work, but you'd be less secure than if you just sorted out
your keytab.  Get a real principal for your domain into the keytab, and
validate will work.  You're using LAB-LPP.LOCAL, but only have principals from
TEST-LPP.LOCAL in your keytab.

jh