[31682] in Kerberos
Re: Problem using Kerberos for user authentication
daemon@ATHENA.MIT.EDU (Ryan Lynch)
Wed Nov 11 11:43:29 2009
MIME-Version: 1.0
In-Reply-To: <1257932764.3112.444.camel@localhost>
From: Ryan Lynch <ryan.b.lynch@gmail.com>
Date: Wed, 11 Nov 2009 11:41:34 -0500
Message-ID: <115906d10911110841g7d1d44bcw60f0248e4df3bb16@mail.gmail.com>
To: Braden McDaniel <braden@endoframe.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Wed, Nov 11, 2009 at 04:46, Braden McDaniel <braden@endoframe.com> wrote:> #%PAM-1.0> # This file is auto-generated.> # User changes will be destroyed the next time authconfig is run.> auth required pam_env.so> auth sufficient pam_unix.so nullok try_first_pass> auth requisite pam_succeed_if.so uid >= 500 quiet> auth sufficient pam_krb5.so use_first_pass> auth required pam_deny.so>> account required pam_unix.so broken_shadow> account sufficient pam_localuser.so> account sufficient pam_succeed_if.so uid < 500 quiet> account [default=bad success=ok user_unknown=ignore] pam_krb5.so> account required pam_permit.so>> password requisite pam_cracklib.so try_first_pass retry=3> password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_authtok> password sufficient pam_krb5.so use_authtok> password required pam_deny.so>> session optional pam_keyinit.so revoke> session required pam_limits.so> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid> session required pam_unix.so> session optional pam_krb5.so>
For starters, here's my '/etc/pam.d/system_auth':
auth required pam_env.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 500 quietauth sufficient pam_krb5.so minimum_uid=9999 debugauth required pam_deny.so
account required pam_access.soaccount required pam_unix.so broken_shadowaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid < 500 quietaccount sufficient pam_krb5.so minimum_uid=9999 debugaccount required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3password sufficient pam_unix.so sha512 shadow nulloktry_first_pass use_authtokpassword sufficient pam_krb5.so minimum_uid=9999 debugpassword required pam_deny.so
#session optional pam_keyinit.so revokesession required pam_limits.sosession optional pam_mkhomedir.sosession [success=1 default=ignore] pam_succeed_if.so service incrond quiet use_uidsession sufficient pam_krb5.so minimum_uid=9999 debugsession required pam_unix.so
There are some differences between our setups. The biggest differenceappears to be that I'm using 'pam_krb5' in combination with'nss_ldap', because my user/group accounts are stored in LDAP (on anMS Active Directory DC). All accounts are either purely local (onlyexist in /etc/passwd, group, and shadow), or purely AD (only exist inKerberos and LDAP)--there are no overlapping cases, where an accounthas a local /etc/passwd entry and a Kerberos principal, as well.
So I don't think this will be very useful to you, after all. Sorryabout that. But I do want to suggest a couple of things that mighthelp:
- Authenticating SSH logins via Kerberos tokens requires some changesto ssh_config, and possibly sshd_config, as well. If you haven'tmodified either the client or server for GSS/Kerberos operations, andyou're not using any special command-line options, that may be part ofyour problem. - Can you post a copy of your /etc/krb5.conf file up here, as well?In my experience, it's awfully hard to distinguish between errors inthe krb5.conf and pam.d/system_auth. - I wanted to echo Javier's suggestion about using the 'debug'parameter to 'pam_krb5'. You can activate it via the 'system_auth'lines, or via your 'krb5.conf'. I could not have gotten my setup towork without the debug messages.
-Ryan
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
