[29070] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Possibility of not creating host principals and keytabs for

daemon@ATHENA.MIT.EDU (Barry King)
Wed Jan 16 18:14:34 2008

Message-ID: <164f0b3c0801161009s7bc7851rff574a60853c5bd4@mail.gmail.com>
Date: Wed, 16 Jan 2008 10:09:12 -0800
From: "Barry King" <barryking93@gmail.com>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

I'm looking for a way to use a combination of kerberos & ldap authentication
for (primarily Fedora 8) Linux workstations.  My goal is to have an
automated install that will allow users to authenticate to kerberos
immediately after install, without the need to create host principals or
extract keytabs.

Right now, when I ssh in, it hangs and I get this with debug turned on:

Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: trying
previously-entered password for 'bking', allowing libkrb5 to prompt for more
Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: authenticating '
bking@REALM' to 'krbtgt/REALM@REALM'
Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]:
krb5_get_init_creds_password(krbtgt/REALM@REALM returned 0 (Success)
Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: got result 0
(Success)

Thoughts?

My (sanitized) krb5.conf:

[logging]
        default         =       SYSLOG:ERR:USER

[libdefaults]
        default_realm           =       REALM
        dns_lookup_kdc          =       false
        dns_lookup_realm        =       false
        noaddresses             =       true
        validate                =       false

[realms]
        EXPERTCITY.COM = {
                kdc             =       names1.realm
                master_kdc      =       names0.realm
                admin_server    =       names0.realm
                auth_to_local   =       RULE:[2:$1;$2](.*;root)s/;root$//
                auth_to_local   =       RULE:[2:$1;$2](.*;admin)s/;admin$//

                auth_to_local   =       DEFAULT
        }

[domain_realm]
        .realm         =       REALM

[appdefaults]
        pam = {
                forwardable = true
        }

My pam.d/system-auth:

auth            required        /lib/security/$ISA/pam_env.so
auth            sufficient      /lib/security/$ISA/pam_unix.so likeauth
nullok
auth            sufficient      /lib/security/$ISA/pam_krb5.so
minimum_uid=3000 use_authtok debug
#auth           required        /lib/security/$ISA/pam_deny.so

account         required        /lib/security/$ISA/pam_unix.so broken_shadow
account         sufficient      /lib/security/$ISA/pam_localuser.so
account         sufficient      /lib/security/$ISA/pam_krb5.so debug
account         sufficient      /lib/security/$ISA/pam_ldap.so debug
account         required        /lib/security/$ISA/pam_permit.so

password        requisite       /lib/security/$ISA/pam_cracklib.so retry=3
password        sufficient      /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password        sufficient      /lib/security/$ISA/pam_krb5.so use_authtok
debug
password        required        /lib/security/$ISA/pam_deny.so debug

session         required        /lib/security/$ISA/pam_limits.so
session         required        /lib/security/$ISA/pam_unix.so
#session        required        /lib/security/$ISA/pam_mkhomedir.so
skel=/etc/skel/ umask=0022
sauth            required        /lib/security/$ISA/pam_env.so
auth            sufficient      /lib/security/$ISA/pam_unix.so likeauth
nullok
auth            sufficient      /lib/security/$ISA/pam_krb5.so
minimum_uid=3000 use_authtok debug
#auth           required        /lib/security/$ISA/pam_deny.so

account         required        /lib/security/$ISA/pam_unix.so broken_shadow
account         sufficient      /lib/security/$ISA/pam_localuser.so
account         sufficient      /lib/security/$ISA/pam_krb5.so debug
account         sufficient      /lib/security/$ISA/pam_ldap.so debug
account         required        /lib/security/$ISA/pam_permit.so

password        requisite       /lib/security/$ISA/pam_cracklib.so retry=3
password        sufficient      /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password        sufficient      /lib/security/$ISA/pam_krb5.so use_authtok
debug
password        required        /lib/security/$ISA/pam_deny.so debug

session         required        /lib/security/$ISA/pam_limits.so
session         required        /lib/security/$ISA/pam_unix.so
#session        required        /lib/security/$ISA/pam_mkhomedir.so
skel=/etc/skel/ umask=0022
session         optional        /lib/security/$ISA/pam_krb5.so debug
session         optional        /lib/security/$ISA/pam_ldap.so debug
session         optional        /lib/security/$ISA/pam_krb5.so debug
session         optional        /lib/security/$ISA/pam_ldap.so debug

Any ideas?  Is what I'm trying even possible?

Thanks,

-- 
Barry King
barryking93@gmail.com
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[29070] in Kerberos

Possibility of not creating host principals and keytabs for

daemon@ATHENA.MIT.EDU (Barry King)Wed Jan 16 18:14:34 2008

daemon@ATHENA.MIT.EDU (Barry King)
Wed Jan 16 18:14:34 2008
