FYI: Kerberos on RHEL5

Edgecombe, Jason jwedgeco at uncc.edu
Fri Apr 6 14:02:32 EDT 2007


Hi Everyone,

This is a heads-up for anyone using kerberos on RedHat Enterprise Linux
5.

I just solved a problem that's been a royal pain for me.

I had console and gdm logins working fine for RHEL5 and I got kerberos
single-signon working for ssh, but I had trouble getting password
authenticaio working. It would accept my kerberos password, but I would
have any tickets or tokens.

To solve my problem, I had to enable the use_shmem option in
/etc/krb5.conf. for use with sshd.

Here is the appdefaults section of my /etc/krb5.conf:
[appdefaults]
  pam = {
    afs_cells = mycell.com
    ccache_dir = /tmp
    forwardable = true
    tokens = sshd
    external = sshd
    use_shmem = sshd
  }

This was extremely irritating because my previous config files work on
RHEL5 beta2.

I can now login using kerberos credentials on console or ssh.

There are some quirks. sshd take about 5-10 seconds to login, it seems
to pause just after the "opening session" debug message in the secure
log. It also grabs a kerberos 4 ticket and gets tokens, but it doesn't
have a ticket for the afs service principal in the ticket cache.

Anyways, my stuff works now and I'm happy for the moment. I just wanted
to document this to save others the pain.

Sincerely,
Jason Edgecombe
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
UNC-Charlotte
Phone: (704) 687-3514
 




More information about the Kerberos mailing list