NIS => Kerberos/LDAP Migration

Douglas E. Engert deengert at anl.gov
Tue Aug 14 11:03:41 EDT 2007 


Tim Schaab wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Thomas A. La Porte wrote:
>> Not sure what you mean when you say that pam-krb5-migrate "doesn't work
>> with MIT kerberos."
>>
>> We used it in our infrastructure to do exactly what you are looking to
>> do, and we use MIT Kerberos on Linux.
>>
>> What problems did you run into?
>>
>>  -- Tom
> 
> Part of the problem is trying to get it to actually run on a client
> system running Linux, Ubuntu Edgy specifically. It will compile when
> heimdal-dev is installed, but won't compile when krb5-dev is installed.
> 
> When I build it against heimdal-dev and it tries to run via pam, I get
> this error:
> 
> 
> ###### Log ######
> PAM unable to dlopen(/lib/security/pam_krb5_migrate.so)
> PAM [dlerror: /lib/security/pam_krb5_migrate.so: undefined symbol:
> kadm5_free_policy_ent]
> PAM adding faulty module: /lib/security/pam_krb5_migrate.so
> ###### END ######
> 
> 
> I have it configured in PAM in /etc/pam.d/common-auth as follows:
> 
> 
> ###### /etc/pam.d/common-auth ######
> auth    sufficient      pam_unix.so nullok_secure
> auth    sufficient      pam_krb5.so minimum_uid=2000 use_first_pass
> auth    optional        pam_krb5_migrate.so min_uid=2000
> ###### END ######
> 
> 
> When a NIS user logs in, a Kerberos principal is not created and I get
> this in the kadmin log:
> 
> 
> ###### LOG ######
> kadmind[2083](Notice): Miscellaneous RPC error: X.X.X.X, invalid client
> handle received
> ###### END ######
> 
> 
> My thoughts on why it is not working is that the kadmin protocols from
> MIT Kerberos and Heimdal are not compatible. Since pam_krb5_migrate is
> compiled against Heimdal's kadmin code, I think that's where the error
> is coming from.
> 
> Am I missing something from the pam_krb5_migrate setup?


When you used the pam_krb5_migrate compiled with Hiemdal, did you also
use the pam_krb5 compiled with Heimdal? Since both are loaded into the
same process, there could be lib or context mismatches.

> - --
> /*********************************************************\
> | Tim Schaab                |         Computer Facilities |
> | 608-262-3738              |        tim at geology.wisc.edu |
> | UW-Madison                |        Geology & Geophysics |
> \******** GPG Key: http://dev-zero.org/pubkey.asc ********/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFGwMrxCR3ITS1QXGYRAhGZAJ9FfcBxAsu5pP62Nw94bWqGLMBHBACg6xFr
> JQ0ow945hlBH75O9uGjrhFI=
> =LPMZ
> -----END PGP SIGNATURE-----
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list