Possibility of not creating host principals and keytabs for Workstations

Barry King barryking93 at gmail.com
Wed Jan 16 13:09:12 EST 2008


I'm looking for a way to use a combination of kerberos & ldap authentication
for (primarily Fedora 8) Linux workstations.  My goal is to have an
automated install that will allow users to authenticate to kerberos
immediately after install, without the need to create host principals or
extract keytabs.

Right now, when I ssh in, it hangs and I get this with debug turned on:

Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: trying
previously-entered password for 'bking', allowing libkrb5 to prompt for more
Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: authenticating '
bking at REALM' to 'krbtgt/REALM at REALM'
Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]:
krb5_get_init_creds_password(krbtgt/REALM at REALM returned 0 (Success)
Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: got result 0
(Success)

Thoughts?

My (sanitized) krb5.conf:

[logging]
        default         =       SYSLOG:ERR:USER

[libdefaults]
        default_realm           =       REALM
        dns_lookup_kdc          =       false
        dns_lookup_realm        =       false
        noaddresses             =       true
        validate                =       false

[realms]
        EXPERTCITY.COM = {
                kdc             =       names1.realm
                master_kdc      =       names0.realm
                admin_server    =       names0.realm
                auth_to_local   =       RULE:[2:$1;$2](.*;root)s/;root$//
                auth_to_local   =       RULE:[2:$1;$2](.*;admin)s/;admin$//

                auth_to_local   =       DEFAULT
        }

[domain_realm]
        .realm         =       REALM

[appdefaults]
        pam = {
                forwardable = true
        }

My pam.d/system-auth:

auth            required        /lib/security/$ISA/pam_env.so
auth            sufficient      /lib/security/$ISA/pam_unix.so likeauth
nullok
auth            sufficient      /lib/security/$ISA/pam_krb5.so
minimum_uid=3000 use_authtok debug
#auth           required        /lib/security/$ISA/pam_deny.so

account         required        /lib/security/$ISA/pam_unix.so broken_shadow
account         sufficient      /lib/security/$ISA/pam_localuser.so
account         sufficient      /lib/security/$ISA/pam_krb5.so debug
account         sufficient      /lib/security/$ISA/pam_ldap.so debug
account         required        /lib/security/$ISA/pam_permit.so

password        requisite       /lib/security/$ISA/pam_cracklib.so retry=3
password        sufficient      /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password        sufficient      /lib/security/$ISA/pam_krb5.so use_authtok
debug
password        required        /lib/security/$ISA/pam_deny.so debug

session         required        /lib/security/$ISA/pam_limits.so
session         required        /lib/security/$ISA/pam_unix.so
#session        required        /lib/security/$ISA/pam_mkhomedir.so
skel=/etc/skel/ umask=0022
sauth            required        /lib/security/$ISA/pam_env.so
auth            sufficient      /lib/security/$ISA/pam_unix.so likeauth
nullok
auth            sufficient      /lib/security/$ISA/pam_krb5.so
minimum_uid=3000 use_authtok debug
#auth           required        /lib/security/$ISA/pam_deny.so

account         required        /lib/security/$ISA/pam_unix.so broken_shadow
account         sufficient      /lib/security/$ISA/pam_localuser.so
account         sufficient      /lib/security/$ISA/pam_krb5.so debug
account         sufficient      /lib/security/$ISA/pam_ldap.so debug
account         required        /lib/security/$ISA/pam_permit.so

password        requisite       /lib/security/$ISA/pam_cracklib.so retry=3
password        sufficient      /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password        sufficient      /lib/security/$ISA/pam_krb5.so use_authtok
debug
password        required        /lib/security/$ISA/pam_deny.so debug

session         required        /lib/security/$ISA/pam_limits.so
session         required        /lib/security/$ISA/pam_unix.so
#session        required        /lib/security/$ISA/pam_mkhomedir.so
skel=/etc/skel/ umask=0022
session         optional        /lib/security/$ISA/pam_krb5.so debug
session         optional        /lib/security/$ISA/pam_ldap.so debug
session         optional        /lib/security/$ISA/pam_krb5.so debug
session         optional        /lib/security/$ISA/pam_ldap.so debug

Any ideas?  Is what I'm trying even possible?

Thanks,

-- 
Barry King
barryking93 at gmail.com



More information about the Kerberos mailing list