Can use kerberized telnet, but cannot use pam_krb5
Douglas E. Engert
deengert at anl.gov
Wed Feb 1 11:53:03 EST 2006
Ralf Hildebrandt wrote:
> * Douglas E. Engert <deengert at anl.gov>:
>
>
>>Did you add the host account to AD?
>
>
> Yes.
>
>
>>Did you run the MS ktpass to set the service principal in the account,
>
> Yes.
>
>
>>set the password on the acocunt, and generate a kettab file?
>
>
> Yes.
>
>>Did you copy the keytab file back to the Unix system?
>
>
> Yes.
>
>
>>See
>>http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx
>
>
> I did EXACTLY that.
>
> Meanwhile, I'm down to this in my /etc/pam.d/openvpn-krb5 file:
>
> auth requisite pam_krb5.so no_ccache debug
> account required pam_permit.so
>
> This works IF AND ONLY IF the account I try to login as (hildeb in my
> example) exists in /etc/passwd. I log in using the Kerberos Password
> (the password from /etc/passwd DOES NOT WORK), but for unknown reasons
> the system insists on the existance of the local account "hildeb" :(
Yes. Kerberos is for authentication only. The password file is also being
used for authorization to use the local account (i.e. there is an entry)
and as a database to hold UID, GID, home and shell. So you still have to
have a password file (or NIS or LDAP) for this data. Using Kerberos means
they don't need the password field.
Also see the .k5login.
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list