Re: Kerberos integration in directory server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

 > -----Original Message-----
> From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On
> Behalf Of nimmermehr@xxxxxxxxx
> Sent: Tuesday, January 26, 2010 6:23 AM
> To: centos@xxxxxxxxxx
> Subject:  Kerberos integration in directory server
> 
> Hi,
> 
> Got some issues regarding Kerberos and Directory Server and hope someone
> can help me out.
> Used these for the configiruation :
> http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html
> http://www.redhat.com/docs/manuals/dir-server/8.1/install/index.html
> 
> Server : CentOS 5.4 with Kerberos and Directory Server installed
> Client : CentOS 5.4
> 
> I use putty to connect to the client, which authenticates against the
> server.
> Using Kerberos or LDAP worked perfectly (using system-config-
> authentication on the client for configuration)
> 
> The only thing that doesn't seem to work is the kerberized version of the
> login via LDAP on the directory Server. Shouldn't I get a Kerberos ticket
> for that ? If I activate kerberos AND ldap in system-config-authentication
> it fails :
> 
> Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): check pass; user
> unknown
> Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
> Jan 25 13:24:59 monarch sshd[3947]: pam_succeed_if(sshd:auth): error
> retrieving information about user testuser
> Jan 25 13:25:01 monarch sshd[3947]: Failed password for invalid user
> testuser from 192.168.0.1 port 1142 ssh2
> 
> I followed the instructions here :
> http://directory.fedoraproject.org/wiki/Howto:Kerberos
> 
> Maybe I just didn't get it ;)
> 
> Thanks in advance,
> 
> Peter
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos

My setup is a tad different than yours in that I integrated MIT Kerberos with OpenLDAP. While our configurations are different I'm sure you're trying for kerberized logins (System authenticates against Kerberos and pulls account information from LDAP). If so here are some items you may want to verify you have included in your system-auth config file.

Auth	sufficient	pam_krb5.so use_first_pass
Auth	sufficient	pam_unix.so nullok try_first_pass

Account sufficient	pam_ldap.so
Account required		pam_unix.so

Password sufficient pam_krb5.so
Password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authok

Session	optional	pam_keyinit.so revoke
Session	optional	pam_krb5.so	

Dan
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux