Problem using Kerberos for user authentication
Douglas E. Engert
deengert at anl.gov
Wed Nov 11 11:23:33 EST 2009
Javier Palacios wrote:
>> I'm trying to get off the ground setting up Kerberos on a Fedora 11 box.
>> I've attempted to follow the instructions here:
>> http://aput.net/~jheiss/krbldap/howto.html
>
> That is a pretty old howto (probably older than fedora).
>
>> I've tried both changing the password field for the user in /etc/shadow
>> to "*K*" (as mentioned in the howto) and removing the user's entry
>> in /etc/shadow altogether--in both cases login fails.
>
> The '*K*' thing is probably innacurate. I've never used, and had
> success in debian, fedora and RHEL. And removing the user entry in
> /etc/shadow (without changes in /etc/passwd) should produce a
> non-usable account, either with kerberos or whichever auth method.
if shadow has * it would be a locked account, and the pam account should not
allow login. Using NP i.e. no password works well as there is nopaswword
that can match NP. (When in LDAP, use {crypt}NP)
>
>> Any ideas what the problem might be? Or where else I should be looking
>> to find out?
>
> Just in case, you need to be able to `kinit username` (without the /admin).
>
> And for the pam_krb5 lines on system-auth, you can add 'debug' and
> will get some extra info on syslog.
>
> And following the question from Ryan, I recommend you to check first
> with console, then with ssh and finally with any window based login.
>
> Javier Palacios
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list