Linux authentication using Kerberos and AD

Norbert Klasen norbert+lists.mit-kerberos at burgundy.dyndns.org
Tue Jun 15 19:47:43 EDT 2004



--On Donnerstag, 10. Juni 2004 16:26 +0100 "Gallagher, Kevin" 
<K.Gallagher at napier.ac.uk> wrote:

> I am trying to establish single sign on using linux,AD and Kerberos. I
> have created a test account in AD which does not exist in either local
> files or NIS. I have created a ketyab file and imported it on my linux
> box, configured both /etc/krb5.conf and /etc/pam.conf for my Reakm and
> Kerberos. I can use kinit to authenticate my test account and can see the
> TGTfor my test account as the security principle with klist. However I
> can't see the test account with getent passwd which may explain why I
> can't logon as the test account. The pam_krb5 error indicates it can't
> get a uid/gid. I can authenticate if I put a corresponding account in
> /etc/passwd or NIS but thus defeats the point if the exercise. Can anyone
> suggest what I may have missed and what needs to be edited in order for
> getent passwd to work?

You cannot get uid/gid information via Kerberos/PAM.
First you'll need to extend your AD to store these information (e.g. with 
Microsoft Services for UNIX). Then you can setup NSS with LDAP to retrieve 
this information from your AD. See <http://www.padl.com/OSS/nss_ldap.html>


Norbert


More information about the Kerberos mailing list