Kerberos and LDAP

Davor Ocelic docelic at mail.inet.hr
Thu Oct 30 07:52:23 EDT 2008


On Thu, 30 Oct 2008 10:36:35 +0100
Ronni Feldt <rofe at one.com> wrote:

> Hi,
> 
> Im still trying to get this to work.
> 
> tail /var/log/auth.log on workstation says this:
> Oct 30 10:29:02 rofe login[11133]: pam_unix(login:auth): check pass;
> user unknown
> Oct 30 10:29:02 rofe login[11133]: pam_unix(login:auth):
> authentication failure; logname=rofe uid=0 euid=0 tty=tty2 ruser=
> rhost= Oct 30 10:29:02 rofe login[11133]: pam_unix(login:account):
> could not identify user (from getpwnam(ronni))
> 

Hello,

Tcpdump is an overkill in this simple scenario.

A requirement for the login to succeed is to have commands such as
'id mirko' or 'id ronni' return the getent information for the 
requested user.

Not always, but 'getent passwd' should in most cases also return
an output that looks like a passwd file, but has both local and
remote entries included.

For that, you need libnss-ldap package installed & configured on
the client. (Configuration consists of libnss-ldap.conf and 
nsswitch.conf).

Also, if you have nscd installed on the client, turn it off for
a while until you get 'id ronni' working.

After you get that working first, move onto getting the actual
login step.

Cya,
-doc



More information about the Kerberos mailing list