[31440] in Kerberos
Re: How to set up NIS->Krb5 user migration?
daemon@ATHENA.MIT.EDU (Nikos Nikoleris)
Tue Sep 1 12:36:04 2009
From: Nikos Nikoleris <nikos@ece.ntua.gr>
Date: Tue, 01 Sep 2009 18:00:45 +0200
Message-ID: <4A9D452D.8020403@ece.ntua.gr>
Mime-Version: 1.0
X-Complaints-To: usenet@ulysses.noc.ntua.gr
In-Reply-To: <mailman.79.1249307840.7908.kerberos@mit.edu>
X-Originally-To: =?ISO-8859-1?Q?Lu=EDs_Eterovick?= <ltc.eterovick@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Luís Eterovick wrote:
> Hello,
> what I need is to create Kerberos principals for every NIS user in a
> network. I have a working MIT Kerberos 5 in my computer that i made to test.
> I've read about pam_krb5_migrate, but i didn't use pam for anything until
> now. How can I do this user creation and is it possible to test it in my own
> Kerberos realm using the NIS information?
Hello Luis,
well you can use pam_krb5_migrate so as to achieve a smooth migration to
kerberos. What we did when we migrated passwords from an ldap server to
a heimdal kdc was to migrate users while they were authenticating for
some of our services (ex mail or ssh). Thus each machine which hosted
some service would do the migration.
First you have to add the principal in /etc/security/pam_krb5.keytab:
pam_migrate/FQDN_OF_THE_MACHINE
Then delegate the credentials to those principals to be able to add new
principals to the KDC. Add to the acl file
(/etc/heimdal-kdc/kadmind.acl in mit kerberos this is named kadm5.acl
and it could be under etc as well or under /usr/local/var/krb5kdc if
your are using BSD) something like:
pam_migrate/fqdn@REALM a *@REALM
Then add to the pam auth stack (/etc/pam.d/common-auth)
auth sufficient pam_krb5.so use_first_pass
auth required pam_unix.so nullok_secure nis use_first_pass
auth optional pam_krb5_migrate.so debug
That way when someone is using any service that uses pam for auth should
be migrated to your KDC. The only side-effect is that users have to
enter their passwords twice. But this shouldn't be a problem sometimes
they won't even notice, if that is done by some program (ex. mail client)
-- Nikos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos