Possibility of not creating host principals and keytabs for Workstations

Douglas E. Engert deengert at anl.gov
Thu Jan 17 10:54:09 EST 2008 


Barry King wrote:
> I'm looking for a way to use a combination of kerberos & ldap authentication
> for (primarily Fedora 8) Linux workstations.  My goal is to have an
> automated install that will allow users to authenticate to kerberos
> immediately after install, without the need to create host principals or
> extract keytabs.
> 
> Right now, when I ssh in, it hangs and I get this with debug turned on:
> 
> Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: trying
> previously-entered password for 'bking', allowing libkrb5 to prompt for more
> Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: authenticating '
> bking at REALM' to 'krbtgt/REALM at REALM'
> Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]:
> krb5_get_init_creds_password(krbtgt/REALM at REALM returned 0 (Success)
> Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: got result 0
> (Success)
> 
> Thoughts?

Your install needs to be done so it creates the keytab and updates the KDC.
This requires the admin doing the install to have privileges to create
host principals in the KDC. Or you need to create the principals in the KDC
ahead of time and provide the keytab to the admin doing the installer.

There is no way you would want ordinary users creating principals in the KDC.

> 
> My (sanitized) krb5.conf:
> 
> [logging]
>         default         =       SYSLOG:ERR:USER
> 
> [libdefaults]
>         default_realm           =       REALM
>         dns_lookup_kdc          =       false
>         dns_lookup_realm        =       false
>         noaddresses             =       true
>         validate                =       false
> 
> [realms]
>         EXPERTCITY.COM = {
>                 kdc             =       names1.realm
>                 master_kdc      =       names0.realm
>                 admin_server    =       names0.realm
>                 auth_to_local   =       RULE:[2:$1;$2](.*;root)s/;root$//
>                 auth_to_local   =       RULE:[2:$1;$2](.*;admin)s/;admin$//
> 
>                 auth_to_local   =       DEFAULT
>         }
> 
> [domain_realm]
>         .realm         =       REALM
> 
> [appdefaults]
>         pam = {
>                 forwardable = true
>         }
> 
> My pam.d/system-auth:
> 
> auth            required        /lib/security/$ISA/pam_env.so
> auth            sufficient      /lib/security/$ISA/pam_unix.so likeauth
> nullok
> auth            sufficient      /lib/security/$ISA/pam_krb5.so
> minimum_uid=3000 use_authtok debug
> #auth           required        /lib/security/$ISA/pam_deny.so
> 
> account         required        /lib/security/$ISA/pam_unix.so broken_shadow
> account         sufficient      /lib/security/$ISA/pam_localuser.so
> account         sufficient      /lib/security/$ISA/pam_krb5.so debug
> account         sufficient      /lib/security/$ISA/pam_ldap.so debug
> account         required        /lib/security/$ISA/pam_permit.so
> 
> password        requisite       /lib/security/$ISA/pam_cracklib.so retry=3
> password        sufficient      /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password        sufficient      /lib/security/$ISA/pam_krb5.so use_authtok
> debug
> password        required        /lib/security/$ISA/pam_deny.so debug
> 
> session         required        /lib/security/$ISA/pam_limits.so
> session         required        /lib/security/$ISA/pam_unix.so
> #session        required        /lib/security/$ISA/pam_mkhomedir.so
> skel=/etc/skel/ umask=0022
> sauth            required        /lib/security/$ISA/pam_env.so
> auth            sufficient      /lib/security/$ISA/pam_unix.so likeauth
> nullok
> auth            sufficient      /lib/security/$ISA/pam_krb5.so
> minimum_uid=3000 use_authtok debug
> #auth           required        /lib/security/$ISA/pam_deny.so
> 
> account         required        /lib/security/$ISA/pam_unix.so broken_shadow
> account         sufficient      /lib/security/$ISA/pam_localuser.so
> account         sufficient      /lib/security/$ISA/pam_krb5.so debug
> account         sufficient      /lib/security/$ISA/pam_ldap.so debug
> account         required        /lib/security/$ISA/pam_permit.so
> 
> password        requisite       /lib/security/$ISA/pam_cracklib.so retry=3
> password        sufficient      /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password        sufficient      /lib/security/$ISA/pam_krb5.so use_authtok
> debug
> password        required        /lib/security/$ISA/pam_deny.so debug
> 
> session         required        /lib/security/$ISA/pam_limits.so
> session         required        /lib/security/$ISA/pam_unix.so
> #session        required        /lib/security/$ISA/pam_mkhomedir.so
> skel=/etc/skel/ umask=0022
> session         optional        /lib/security/$ISA/pam_krb5.so debug
> session         optional        /lib/security/$ISA/pam_ldap.so debug
> session         optional        /lib/security/$ISA/pam_krb5.so debug
> session         optional        /lib/security/$ISA/pam_ldap.so debug
> 
> Any ideas?  Is what I'm trying even possible?
> 
> Thanks,
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list