NIS => Kerberos/LDAP Migration

Tim Schaab tim at geology.wisc.edu
Mon Aug 13 17:19:45 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas A. La Porte wrote:
> Not sure what you mean when you say that pam-krb5-migrate "doesn't work
> with MIT kerberos."
> 
> We used it in our infrastructure to do exactly what you are looking to
> do, and we use MIT Kerberos on Linux.
> 
> What problems did you run into?
> 
>  -- Tom

Part of the problem is trying to get it to actually run on a client
system running Linux, Ubuntu Edgy specifically. It will compile when
heimdal-dev is installed, but won't compile when krb5-dev is installed.

When I build it against heimdal-dev and it tries to run via pam, I get
this error:


###### Log ######
PAM unable to dlopen(/lib/security/pam_krb5_migrate.so)
PAM [dlerror: /lib/security/pam_krb5_migrate.so: undefined symbol:
kadm5_free_policy_ent]
PAM adding faulty module: /lib/security/pam_krb5_migrate.so
###### END ######


I have it configured in PAM in /etc/pam.d/common-auth as follows:


###### /etc/pam.d/common-auth ######
auth    sufficient      pam_unix.so nullok_secure
auth    sufficient      pam_krb5.so minimum_uid=2000 use_first_pass
auth    optional        pam_krb5_migrate.so min_uid=2000
###### END ######


When a NIS user logs in, a Kerberos principal is not created and I get
this in the kadmin log:


###### LOG ######
kadmind[2083](Notice): Miscellaneous RPC error: X.X.X.X, invalid client
handle received
###### END ######


My thoughts on why it is not working is that the kadmin protocols from
MIT Kerberos and Heimdal are not compatible. Since pam_krb5_migrate is
compiled against Heimdal's kadmin code, I think that's where the error
is coming from.

Am I missing something from the pam_krb5_migrate setup?
- --
/*********************************************************\
| Tim Schaab                |         Computer Facilities |
| 608-262-3738              |        tim at geology.wisc.edu |
| UW-Madison                |        Geology & Geophysics |
\******** GPG Key: http://dev-zero.org/pubkey.asc ********/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGwMrxCR3ITS1QXGYRAhGZAJ9FfcBxAsu5pP62Nw94bWqGLMBHBACg6xFr
JQ0ow945hlBH75O9uGjrhFI=
=LPMZ
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list