Kerberos-Gssapi-ldap-pam interaction

Jerome Walter walter+SP at M.efrei.fr
Wed May 14 10:54:23 EDT 2003 

Dans l'article <877k8tfzjb.fsf at papadoc.bayour.com>, Turbo Fredriksson a écrit :
>>>>>> "Jerome" == Jerome Walter <walter+SP at M.efrei.fr> writes:
> 
>    Jerome> But, trying to get accounting info in the LDAP server is
>    Jerome> quite more complicated. I tried different configurations
>    Jerome> with nss, pam_ldap and pam.d config files but did not
>    Jerome> manage to get the account required pam_ldap.so working:
>    Jerome> Insufficient credentials to access authentiation data
> 
> What is saying 'Insufficient credentials'? PAM/LDAP? Login?

Mmmh, at login, PAM/LDAP i guess. It appears in the auth.log :
May 14 16:39:23 veau login[735]: pam_ldap: error trying to bind (invalid
credentials)

>    Jerome> Is there someone who have ever installed such a config ?
> 
> On a NUMBER of machines. Rocks MY world! :)

I know that. Got your doc just next to the keyboard ;) There is a few things
to change though. 

>    Jerome> could you give me advices about how to configure things up
>    Jerome> ?
> 
> http://www.bayour.com/LDAPv3-HOWTO.html

Did you ever PAM to the LDAP to get accounting info ? It do not appears, just
pam_krb5 which works great for me.

>    Jerome> In a near future i sould try OpenAFS, is there something
>    Jerome> special i sould not do ?
> 
> Get Kerberos working fully and learn how to administrate the whole
> shebang (LDAP, Kerberos etc) :)

Kerberos works great.
Ldap works great with GSSAPI and simple bind.

My first thoughts where that it could come from supportedSASLmechanisms, which
only returns GSSAPI and not plain, anonymous nor login...

Perhaps on the other hand i made an error configuring libnss-ldap, but i do
not know how to test it.

>    Jerome> Finally, is there something special to do to make sudo and
>    Jerome> ssh not requiring entering the password again ?
>    Jerome> try_first_pass does not seem to work...
> 
> I don't care. I use 'ksu' instead :)

Yep, but my administrator won't give the root password to the students who,
like me, have some rights to rm, kill, renice or reboot some stations when
needed (some other students do not use their unix account very properly ;)

> If you want to do ssh, use the package 'ssh-krb5'. It's in woody...

That is what i use. But it still ask for the Kerberos password each time...

Jerome

-- 
-+--   Jérôme Walter - 	I2 EFREI		          ----+-
 Equipe Système - Efrei Robotique - Jap'Efrei - Erasmus Tutors
 "The World is my country" - "Nihon no tomodachi desu"
EFREI System and Networking guide http://perso.efrei.fr/~walter/

More information about the Kerberos mailing list