[31686] in Kerberos
Re: Problem using Kerberos for user authentication
daemon@ATHENA.MIT.EDU (Braden McDaniel)
Wed Nov 11 17:12:04 2009
Message-ID: <4AFB368E.5000304@endoframe.com>
Date: Wed, 11 Nov 2009 17:11:26 -0500
From: Braden McDaniel <braden@endoframe.com>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <115906d10911110841g7d1d44bcw60f0248e4df3bb16@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ryan Lynch wrote:
[snip]
> There are some differences between our setups. The biggest difference
> appears to be that I'm using 'pam_krb5' in combination with
> 'nss_ldap', because my user/group accounts are stored in LDAP (on an
> MS Active Directory DC). All accounts are either purely local (only
> exist in /etc/passwd, group, and shadow), or purely AD (only exist in
> Kerberos and LDAP)--there are no overlapping cases, where an account
> has a local /etc/passwd entry and a Kerberos principal, as well.
Getting LDAP up and running is the next step for me; in my case, the
directory will be hosted on this same machine. So I expect to be adding
those bits shortly.
> - Authenticating SSH logins via Kerberos tokens requires some changes
> to ssh_config, and possibly sshd_config, as well. If you haven't
> modified either the client or server for GSS/Kerberos operations, and
> you're not using any special command-line options, that may be part of
> your problem.
ssh appears to be working without me doing anything special in
sshd_config; my understanding is that once Kerberos is working with PAM,
the things that can use PAM will Just Work. I'm attributing successful
ssh logins to this.
> - I wanted to echo Javier's suggestion about using the 'debug'
> parameter to 'pam_krb5'. You can activate it via the 'system_auth'
> lines, or via your 'krb5.conf'. I could not have gotten my setup to
> work without the debug messages.
No doubt that will come in handy. Thanks...
--
Braden McDaniel e-mail: <braden@endoframe.com>
<http://endoframe.com> Jabber: <braden@jabber.org>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
