[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?

Tue Apr 12 16:19:24 UTC 2011
Alain Péan <alain.pean at lpp.polytechnique.fr>

Le 12/04/2011 16:28, John Hodrien a écrit :
> On Tue, 12 Apr 2011, Alain Péan wrote:
>
>> Sorrry, little error with the output of klit -ke, because I am testing
>> on a test AD domain at this moment. On the first machine, output is :
>> # klist -ke
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ----
>> -------------------------------------------------------------------------- 
>>
>>    2 host/appleton.lab-lpp.local at LAB-LPP.LOCAL (DES cbc mode with 
>> CRC-32)
>>    2 host/appleton.lab-lpp.local at LAB-LPP.LOCAL (DES cbc mode with 
>> RSA-MD5)
>>    2 host/appleton.lab-lpp.local at LAB-LPP.LOCAL (ArcFour with HMAC/md5)
>>    2 host/appleton at LAB-LPP.LOCAL (DES cbc mode with CRC-32)
>>    2 host/appleton at LAB-LPP.LOCAL (DES cbc mode with RSA-MD5)
>>    2 host/appleton at LAB-LPP.LOCAL (ArcFour with HMAC/md5)
>>    2 APPLETON$@LAB-LPP.LOCAL (DES cbc mode with CRC-32)
>>    2 APPLETON$@LAB-LPP.LOCAL (DES cbc mode with RSA-MD5)
>>    2 APPLETON$@LAB-LPP.LOCAL (ArcFour with HMAC/md5)
>
> You're still lightly mixing machines though, as your error before 
> referred to
> 'bardeen' not appleton.  I'm not certain that I've seen a complete 
> picture
> here.
>
> I think disabling validate would still get you back to your old 
> behaviour, but
> that there's something wrong with the keytabs on these machines.
>
> jh

John,

Thanks for your hint. You are true that error message and 'klist -ke' 
come from different servers.

In fact, I solved the problem using the authconfig command, but I wonder 
if it is really correct, as I mixed kerberos and ldap. Here is the 
authconfig command for my test domain :

# authconfig --enablekrb5 
--krb5kdc=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local 
--krb5adminserver=pc-2003-test.test-lpp.local --krb5realm=TEST-LPP.LOCAL 
--enablekrb5kdcdns --enablekrb5realmdns --enableldap --enableldapauth 
--ldapserver=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local 
--ldapbasedn="dc=test-lpp,dc=local" --enablemkhomedir --update

My /etc/krb5.conf is then the following :
]# cat /etc/krb5.conf
[logging]
     default = FILE:/var/log/krb5lib.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log

[libdefaults]
     ticket_lifetime = 24000
     default_realm = TEST-LPP.LOCAL
     default_tk_enctypes = des3-hmac-sha1 des-cbc-crc
     default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
     dns_lookup_realm = true
     dns_lookup_kdc = true

[realms]
     TEST-LPP.LOCAL = {
         kdc = pc-2003-test.test-lpp.local
         kdc = dc1-test.test-lpp.local
         admin_server = pc-2003-test.test-lpp.local
         default_domain = TEST-LPP.LOCAL
         kpasswd_server = pc-2003-test.test-lpp.local
         kdc = *
     }

[domain_realm]
     .test-lpp.local = TEST-LPP.LOCAL
     test-lpp.local = TEST-LPP.LOCAL

[kdc]
     profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }


But both kerberos and ldap appear in /etc/pam.d/system-auth-ac :
# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass 
use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so

I tried to remove the lines with pam_ldap.so and adding in 
/etc/krb5.conf, as you suggested :
[appdefaults]
  pam = {
    novalidate = true
  }

But it failed.

With the authconfig configuration, I can authenticate against Active 
Directory.

So, it works now, but I am not sure it is completly correct.

Thanks for your help !

Alain

-- 
==========================================================
Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33
==========================================================