Possibility of not creating host principals and keytabs for Workstations
Barry King
barryking93 at gmail.com
Wed Jan 16 13:09:12 EST 2008
I'm looking for a way to use a combination of kerberos & ldap authentication
for (primarily Fedora 8) Linux workstations. My goal is to have an
automated install that will allow users to authenticate to kerberos
immediately after install, without the need to create host principals or
extract keytabs.
Right now, when I ssh in, it hangs and I get this with debug turned on:
Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: trying
previously-entered password for 'bking', allowing libkrb5 to prompt for more
Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: authenticating '
bking at REALM' to 'krbtgt/REALM at REALM'
Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]:
krb5_get_init_creds_password(krbtgt/REALM at REALM returned 0 (Success)
Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: got result 0
(Success)
Thoughts?
My (sanitized) krb5.conf:
[logging]
default = SYSLOG:ERR:USER
[libdefaults]
default_realm = REALM
dns_lookup_kdc = false
dns_lookup_realm = false
noaddresses = true
validate = false
[realms]
EXPERTCITY.COM = {
kdc = names1.realm
master_kdc = names0.realm
admin_server = names0.realm
auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$//
auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$//
auth_to_local = DEFAULT
}
[domain_realm]
.realm = REALM
[appdefaults]
pam = {
forwardable = true
}
My pam.d/system-auth:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth
nullok
auth sufficient /lib/security/$ISA/pam_krb5.so
minimum_uid=3000 use_authtok debug
#auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_localuser.so
account sufficient /lib/security/$ISA/pam_krb5.so debug
account sufficient /lib/security/$ISA/pam_ldap.so debug
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
debug
password required /lib/security/$ISA/pam_deny.so debug
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
#session required /lib/security/$ISA/pam_mkhomedir.so
skel=/etc/skel/ umask=0022
sauth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth
nullok
auth sufficient /lib/security/$ISA/pam_krb5.so
minimum_uid=3000 use_authtok debug
#auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_localuser.so
account sufficient /lib/security/$ISA/pam_krb5.so debug
account sufficient /lib/security/$ISA/pam_ldap.so debug
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
debug
password required /lib/security/$ISA/pam_deny.so debug
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
#session required /lib/security/$ISA/pam_mkhomedir.so
skel=/etc/skel/ umask=0022
session optional /lib/security/$ISA/pam_krb5.so debug
session optional /lib/security/$ISA/pam_ldap.so debug
session optional /lib/security/$ISA/pam_krb5.so debug
session optional /lib/security/$ISA/pam_ldap.so debug
Any ideas? Is what I'm trying even possible?
Thanks,
--
Barry King
barryking93 at gmail.com
More information about the Kerberos
mailing list