Linux authentication using Kerberos and AD
todd.ness at eds.com
Wed Jun 16 10:37:44 EDT 2004
Also, I believe that you must either put the user into NIS or the local
files, you do not have to have a shadow entry in local files. I have not
tried via NIS yet.
On the MS side you do not need AD4Unix.
You need to install the current service packs, if 2000 you need the high
encryption pack, and Microsoft services for UNIX 3.5 I think is the current
version. In the AD user management tool you need to go to the UNIX tab and
add that user to NIS. Make sure the uid and gid match what you put into the
On your Linux client you need a ldap.conf something like this...
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember member
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectclass posixGroup group
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute gecos displayName
nss_map_attribute loginShell msSFU30LoginShell
You need to configure your files in /etc/pam.d properly
You need to add ldap to /etc/nsswitch.conf
Of course you have to setup krb5.conf kdc.conf
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
Of Norbert Klasen
Sent: Tuesday, June 15, 2004 5:48 PM
To: Gallagher, Kevin; kerberos at mit.edu
Subject: Re: Linux authentication using Kerberos and AD
--On Donnerstag, 10. Juni 2004 16:26 +0100 "Gallagher, Kevin"
<K.Gallagher at napier.ac.uk> wrote:
> I am trying to establish single sign on using linux,AD and Kerberos. I
> have created a test account in AD which does not exist in either local
> files or NIS. I have created a ketyab file and imported it on my linux
> box, configured both /etc/krb5.conf and /etc/pam.conf for my Reakm and
> Kerberos. I can use kinit to authenticate my test account and can see
> the TGTfor my test account as the security principle with klist.
> However I can't see the test account with getent passwd which may
> explain why I can't logon as the test account. The pam_krb5 error
> indicates it can't get a uid/gid. I can authenticate if I put a
> corresponding account in /etc/passwd or NIS but thus defeats the point
> if the exercise. Can anyone suggest what I may have missed and what
> needs to be edited in order for getent passwd to work?
You cannot get uid/gid information via Kerberos/PAM.
First you'll need to extend your AD to store these information (e.g. with
Microsoft Services for UNIX). Then you can setup NSS with LDAP to retrieve
this information from your AD. See <http://www.padl.com/OSS/nss_ldap.html>
Kerberos mailing list Kerberos at mit.edu
More information about the Kerberos