Ubuntu Kerberos and Active Directory
Russ Allbery
rra at stanford.edu
Tue Sep 12 21:23:08 EDT 2006
Rohit Kumar Mehta <rohitm at engr.uconn.edu> writes:
> Hey guys, I did an "apt-get install libpam-krb5" which removed
> libpam-heimdal, and the problem is now gone. (I reproduced the problem
> in both Debian-etch and Ubuntu-dapper). I am guessing there is some
> problem with the heimdal libs.
Yeah, that means that there's something that was keeping Heimdal from
figuring out your realm. I'm not sure what that is. I'm unfortunately
not particularly familiar with Heimdal. I'm happy to fix the problem if
there's something that I can do in the PAM module, although it sounds like
it may have been some additional configuration that Heimdal was expecting
that MIT doesn't need. (?)
The call was failing inside the Kerberos library saying that the library
was unable to determine the default realm. There's some possibility that
I broke something about the realm detection logic in 2.3, but it would
surprise me, particularly that you were seeing the same problem with the
old 1.0 module.
> Now I can ssh to the machine using Active Directory credentials.
> However, even though klist shows my ticket, I cannot do passwordless
> authentication.
> I am guessing that setup is a little more involved and requires a keytab
> and adding records to the Active Directory. Does anyone know if this is
> correct?
In order to use an existing Kerberos ticket to authenticate to a system,
that system has to have a keytab, correct.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list