[31680] in Kerberos
Re: Problem using Kerberos for user authentication
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Nov 11 11:24:15 2009
Message-ID: <4AFAE505.6060200@anl.gov>
Date: Wed, 11 Nov 2009 10:23:33 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Javier Palacios <javiplx@gmail.com>
In-Reply-To: <a64bf030911110746k5fe5b8b6g9d775b1768a92221@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Javier Palacios wrote:
>> I'm trying to get off the ground setting up Kerberos on a Fedora 11 box.
>> I've attempted to follow the instructions here:
>> http://aput.net/~jheiss/krbldap/howto.html
>
> That is a pretty old howto (probably older than fedora).
>
>> I've tried both changing the password field for the user in /etc/shadow
>> to "*K*" (as mentioned in the howto) and removing the user's entry
>> in /etc/shadow altogether--in both cases login fails.
>
> The '*K*' thing is probably innacurate. I've never used, and had
> success in debian, fedora and RHEL. And removing the user entry in
> /etc/shadow (without changes in /etc/passwd) should produce a
> non-usable account, either with kerberos or whichever auth method.
if shadow has * it would be a locked account, and the pam account should not
allow login. Using NP i.e. no password works well as there is nopaswword
that can match NP. (When in LDAP, use {crypt}NP)
>
>> Any ideas what the problem might be? Or where else I should be looking
>> to find out?
>
> Just in case, you need to be able to `kinit username` (without the /admin).
>
> And for the pam_krb5 lines on system-auth, you can add 'debug' and
> will get some extra info on syslog.
>
> And following the question from Ryan, I recommend you to check first
> with console, then with ssh and finally with any window based login.
>
> Javier Palacios
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
