[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?

Tue Apr 12 16:49:07 UTC 2011
Alain Péan <alain.pean at lpp.polytechnique.fr>

Le 12/04/2011 18:29, John Hodrien a écrit :
> On Tue, 12 Apr 2011, Alain Péan wrote:
>
>> In fact, I solved the problem using the authconfig command, but I wonder
>> if it is really correct, as I mixed kerberos and ldap. Here is the
>> authconfig command for my test domain :
>
> Using kerberos and ldap is a perfectly reasonable thing to want to do, 
> but you
> need to be sure you're doing what you want.
>
>> # authconfig --enablekrb5
>> --krb5kdc=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local
>> --krb5adminserver=pc-2003-test.test-lpp.local --krb5realm=TEST-LPP.LOCAL
>> --enablekrb5kdcdns --enablekrb5realmdns --enableldap --enableldapauth
>> --ldapserver=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local
>> --ldapbasedn="dc=test-lpp,dc=local" --enablemkhomedir --update
>
> I'd have thought you want kerberos authentication and ldap user 
> information.
> --enableldapauth I suspect is wrong.  You've switched your kerberos 
> REALM from
> the original file you mailed.
>
>> My /etc/krb5.conf is then the following :
>> ]# cat /etc/krb5.conf
>> [logging]
>>     default = FILE:/var/log/krb5lib.log
>>     kdc = FILE:/var/log/krb5kdc.log
>>     admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>>     ticket_lifetime = 24000
>>     default_realm = TEST-LPP.LOCAL
>>     default_tk_enctypes = des3-hmac-sha1 des-cbc-crc
>>     default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>>     dns_lookup_realm = true
>>     dns_lookup_kdc = true
>>
>> [realms]
>>     TEST-LPP.LOCAL = {
>>         kdc = pc-2003-test.test-lpp.local
>>         kdc = dc1-test.test-lpp.local
>>         admin_server = pc-2003-test.test-lpp.local
>>         default_domain = TEST-LPP.LOCAL
>>         kpasswd_server = pc-2003-test.test-lpp.local
>>         kdc = *
>>     }
>>
>> [domain_realm]
>>     .test-lpp.local = TEST-LPP.LOCAL
>>     test-lpp.local = TEST-LPP.LOCAL
>>
>> [kdc]
>>     profile = /var/kerberos/krb5kdc/kdc.conf
>>
>> [appdefaults]
>>  pam = {
>>    debug = false
>>    ticket_lifetime = 36000
>>    renew_lifetime = 36000
>>    forwardable = true
>>    krb4_convert = false
>>  }
>
> That now looks plausible given what you mailed for the keytab (i.e. 
> the realms
> match now).
>
>> But both kerberos and ldap appear in /etc/pam.d/system-auth-ac :
>
> That's because you enabled ldap auth.  You probably don't want that.
>
>> I tried to remove the lines with pam_ldap.so and adding in
>> /etc/krb5.conf, as you suggested :
>> [appdefaults]
>>  pam = {
>>    novalidate = true
>>  }
>>
>> But it failed.
>
> Assuming the keytab setup is the same is was before, you shouldn't 
> need to
> bother with that.  I think it should have been validate = false rather 
> than
> novalidate = true, I'd misunderstood the manpage.
>
> But if you leave that off, what fails now?
>
> jh
>

Indeed, nothing fails now. I want my users to authenticate against 
Active directory, and it works, and I would like them to be able to use 
their kerberos credentials, if they need, to access domain ressources, 
as shares. But I have still to see a problem there..

Thanks again for your help and your comments !

Alain

-- 
==========================================================
Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33
==========================================================