[30935] in Kerberos
Re: Getting user info via LDAP, authenticating via Kerberos
daemon@ATHENA.MIT.EDU (Javier Palacios)
Thu Mar 26 17:03:03 2009
MIME-Version: 1.0
In-Reply-To: <49CBBFE4.5040008@cems.umn.edu>
Date: Thu, 26 Mar 2009 22:02:06 +0100
Message-ID: <a64bf030903261402o3650a0adoa2b405e99e223aae@mail.gmail.com>
From: Javier Palacios <javiplx@gmail.com>
To: John Koelndorfer <kdorf@cems.umn.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, Mar 26, 2009 at 6:48 PM, John Koelndorfer <kdorf@cems.umn.edu> wrote:
> So, here's a quick example in case I wasn't clear enough:
> I ssh to our server using my domain credentials, kdorf and password.
>
> If I have a local user account on that machine and ldap is *not* listed
> in nsswitch.conf, I can login using my domain password and a valid
> Kerberos ticket is fetched for me -- I get access to my home.
>
> If I don't have a local account on that machine and ldap *is* listed in
> nsswitch.conf, I can login using my domain password but `klist` shows
> that I do *not* have a valid Kerberos ticket. Home directory access is
> denied.
You are basically looking at the wrong place.
To use or not kerberos ticket you need to look at pam configuration,
and be careful to disable pam_ldap. If your distro is RedHat derived,
it is quite easy to see either with authconfig-tui or the
Administration->Authentication menu. User information is clearly
separated from authentication. LDAP is in both places, but kerberos
only in one. I don't know a similar tool for debian distros (there was
a helper for ubuntu which I cannot find right now), and lack expertise
enough for other distros.
The distro you are using is an important detail that could help you
clarify that.
The NFSv4, might introduce differences, but for the other parts maybe
this reference could help you a bit
http://kad.wiki.sourceforge.net/ActiveDirectoryIntegration
Javier Palacios
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
