On Tue, 12 Apr 2011, Alain Péan wrote:
In fact, I solved the problem using the authconfig command, but I wonder
if it is really correct, as I mixed kerberos and ldap. Here is the
authconfig command for my test domain :
Using kerberos and ldap is a perfectly reasonable thing to want to do, but you
need to be sure you're doing what you want.
# authconfig --enablekrb5
--krb5kdc=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local
--krb5adminserver=pc-2003-test.test-lpp.local --krb5realm=TEST-LPP.LOCAL
--enablekrb5kdcdns --enablekrb5realmdns --enableldap --enableldapauth
--ldapserver=pc-2003-test.test-lpp.local,dc1-test.test-lpp.local
--ldapbasedn="dc=test-lpp,dc=local" --enablemkhomedir --update
I'd have thought you want kerberos authentication and ldap user information.
--enableldapauth I suspect is wrong. You've switched your kerberos REALM from
the original file you mailed.
My /etc/krb5.conf is then the following :
]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5lib.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = TEST-LPP.LOCAL
default_tk_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
TEST-LPP.LOCAL = {
kdc = pc-2003-test.test-lpp.local
kdc = dc1-test.test-lpp.local
admin_server = pc-2003-test.test-lpp.local
default_domain = TEST-LPP.LOCAL
kpasswd_server = pc-2003-test.test-lpp.local
kdc = *
}
[domain_realm]
.test-lpp.local = TEST-LPP.LOCAL
test-lpp.local = TEST-LPP.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
That now looks plausible given what you mailed for the keytab (i.e. the realms
match now).
But both kerberos and ldap appear in /etc/pam.d/system-auth-ac :
That's because you enabled ldap auth. You probably don't want that.
I tried to remove the lines with pam_ldap.so and adding in
/etc/krb5.conf, as you suggested :
[appdefaults]
pam = {
novalidate = true
}
But it failed.
Assuming the keytab setup is the same is was before, you shouldn't need to
bother with that. I think it should have been validate = false rather than
novalidate = true, I'd misunderstood the manpage.
But if you leave that off, what fails now?
jh
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
