[30939] in Kerberos
Re: Getting user info via LDAP, authenticating via Kerberos
daemon@ATHENA.MIT.EDU (John Koelndorfer)
Fri Mar 27 16:23:23 2009
X-Barracuda-Envelope-From: kdorf@cems.umn.edu
Message-ID: <49CCF839.9090109@cems.umn.edu>
Date: Fri, 27 Mar 2009 11:00:57 -0500
From: John Koelndorfer <kdorf@cems.umn.edu>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <49CBBFE4.5040008@cems.umn.edu>
Content-Type: multipart/mixed; boundary="------------070707060907070000020802"
Errors-To: kerberos-bounces@mit.edu
This is a multi-part message in MIME format.
--------------070707060907070000020802
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hello again,
Firstly, thanks to those who have taken time to shoot an e-mail my way
to try and help. It's greatly appreciated. Secondly, sorry to be
sending out another list mail but I notice that the suggestions I got
were all more or less the same -- look at PAM. I think I may not have
been clear enough in my last e-mail, so I'll try to explain again. I
also forgot to include version numbers and attach some config files.
Again, my apologies.
Also, I don't do much in the realm of mailing lists so I'm unsure if it
is expected that most people that write in are subscribed. I happen not
to be, so please reply directly to my address if you would.
Our servers are primarily running RHEL4:
`cat /etc/issue`
Red Hat Enterprise Linux AS release 4 (Nahant Update 7)
Kernel \r on an \m
Some important lib versions (I don't think I missed any but I am far
from an expert):
`rpm -qa | grep krb5`
krb5-workstation-1.3.4-60.el4
krb5-auth-dialog-0.2-1
krb5-libs-1.3.4-60.el4
pam_krb5-2.1.17-6.el4
`rpm -q "nss_ldap"`
nss_ldap-253-5.el4
Finally, a kernel version:
`uname -r`
2.6.9-78.ELsmp
The suggestions I got via e-mail were to look at my PAM configuration.
What I was attempting to convey before was that I have indeed gone over
PAM settings and here's what I have:
I can successfully get a Kerberos ticket (it is shown in `klist` after
login) **if ldap is not listed in nsswitch.conf**. Here's a snippet to
show what I mean:
passwd: files
shadow: files
group: files
The above works. However, I have to create a local user account for the
user I want to log in with. This is not something I'd like to have to
do. Now, here's a non-working snippet:
passwd: files ldap
shadow: files ldap
group: files ldap
The above causes `klist` to not show Kerberos tickets (and in fact they
aren't retrieved as users cannot access homes). Nothing in the PAM
configuration changed in this test.
I've provided somewhat censored versions of /etc/krb5.conf,
/etc/ldap.conf, /etc/pam.d/system-auth, and /etc/nsswitch.conf. I hope
these will be helpful if anyone would be kind enough to help. If
something else is needed, please do let me know.
John Koelndorfer wrote:
> Hello everyone,
>
> I've got a tricky problem that's been gnawing at me for the past few
> days or so. First, a little background:
>
> We're running an active directory setup with the usual Windows domain
> controllers (they're Windows 2000, if it matters) but users' home
> directories are stored on a Linux box running Samba. Our other Linux
> servers will need to get at these homes for various reasons. Our setup
> is fine with NFSv3, but we were looking to gain security and move up
> to NFSv4 with Kerberos authentication. NFSv4 won't allow people to
> access their home directories without a valid Kerberos ticket for
> their principal. If this could be turned off somehow, that'd be one
> way to fix this issue (all_squashing to root doesn't sound
> particularly appealing) otherwise I need users to be able to get their
> Kerberos ticket on login.
>
> That works fine as long as ldap is not listed in nsswitch.conf. The
> problem is we need to use ldap to fetch user info.
>
> So, here's a quick example in case I wasn't clear enough:
> I ssh to our server using my domain credentials, kdorf and password.
>
> If I have a local user account on that machine and ldap is *not*
> listed in nsswitch.conf, I can login using my domain password and a
> valid Kerberos ticket is fetched for me -- I get access to my home.
>
> If I don't have a local account on that machine and ldap *is* listed
> in nsswitch.conf, I can login using my domain password but `klist`
> shows that I do *not* have a valid Kerberos ticket. Home directory
> access is denied.
>
> I need to have valid Kerberos tickets fetched for ldap users.
> Alternatively, I would like NFSv4 to not sweat people about Kerberos
> tickets to access their homes. Is this possible?
>
> Thanks in advance for your help.
> John
--------------070707060907070000020802
Content-Type: text/plain;
name="krb5.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="krb5.conf"
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
dns_lookup_realm = false
dns_lookup_kdc = false
default_tgs_enctypes = des-cbc-md5, des-cbc-crc
default_tkt_enctypes = des-cbc-md5, des-cbc-crc
default_realm = OUR.REALM.HERE
forwardable = true
[realms]
CEMS.UMN.EDU = {
kdc = OUR.DC.HERE:88
admin_server = OUR.DC.HERE:749
default_domain = our.domain.here
}
[domain_realm]
.cems.umn.edu = OUR.REALM.HERE
cems.umn.edu = OUR.REALM.HERE
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
--------------070707060907070000020802
Content-Type: text/plain;
name="ldap.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="ldap.conf"
# @(#)$Id: ldap.conf,v 2.35 2004/03/03 21:06:34 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 134.84.166.6
# The distinguished name of the search base.
base dc=hidden,dc=for,dc=security
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
uri ldaps://our.dc.ip.here.1/ ldaps://our.dc.ip.here.2/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn= # removed for security -- this is working
# The credentials to bind with.
# Optional: default is no credential.
bindpw ****************
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=cemsadmin,cn=Users,dc=mikedom,dc=cems,dc=umn,dc=edu
# The port.
# Optional: default is 389.
#port 389
#port 636
# The search scope.
scope sub
#scope one
#scope base
# Search timelimit
#timelimit 1
# Bind/connect timelimit
#bind_timelimit 30
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=account
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
pam_check_service_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
pam_login_attribute userPrincipalName
pam_template_login_attribute uid
pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd dc=hidden,dc=for,dc=sec?sub
nss_base_shadow dc=hidden,dc=for,dc=sec?sub
#nss_base_group ou=Group,dc=padl,dc=com?sub
#nss_base_hosts ou=Hosts,dc=padl,dc=com?sub
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member
# Services for UNIX 3.5 mappings
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos displayname
nss_map_objectclass posixGroup Group
pam_login_attribute msSFU30Name
pam_filter objectclass=User
pam_password ad
# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword
# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# Netscape SDK LDAPS
ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
tls_checkpeer no
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0 passcred
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
tls_reqcert never
--------------070707060907070000020802
Content-Type: text/plain;
name="nsswitch.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="nsswitch.conf"
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# ldap Use LDAP (only if nss_ldap is installed)
# nisplus or nis+ Use NIS+ (NIS version 3), unsupported
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files ldap nis
#shadow: db files ldap nis
#group: db files ldap nis
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files ldap nis dns
hosts: files dns
# Example - obey only what ldap tells us...
#services: ldap [NOTFOUND=return] files
#networks: ldap [NOTFOUND=return] files
#protocols: ldap [NOTFOUND=return] files
#rpc: ldap [NOTFOUND=return] files
#ethers: ldap [NOTFOUND=return] files
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: files
automount: files
aliases: files
--------------070707060907070000020802
Content-Type: text/plain;
name="system-auth"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="system-auth"
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass debug
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_krb5.so use_first_pass debug
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_krb5.so use_authtok minimum_uid=1000 debug
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_krb5.so use_first_pass debug
--------------070707060907070000020802
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--------------070707060907070000020802--
