Problem using Kerberos for user authentication
Ryan Lynch
ryan.b.lynch at gmail.com
Wed Nov 11 11:41:34 EST 2009
On Wed, Nov 11, 2009 at 04:46, Braden McDaniel <braden at endoframe.com> wrote:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_krb5.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
> password sufficient pam_krb5.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> session required pam_unix.so
> session optional pam_krb5.so
>
For starters, here's my '/etc/pam.d/system_auth':
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so minimum_uid=9999 debug
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient pam_krb5.so minimum_uid=9999 debug
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_krb5.so minimum_uid=9999 debug
password required pam_deny.so
#session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session sufficient pam_krb5.so minimum_uid=9999 debug
session required pam_unix.so
There are some differences between our setups. The biggest difference
appears to be that I'm using 'pam_krb5' in combination with
'nss_ldap', because my user/group accounts are stored in LDAP (on an
MS Active Directory DC). All accounts are either purely local (only
exist in /etc/passwd, group, and shadow), or purely AD (only exist in
Kerberos and LDAP)--there are no overlapping cases, where an account
has a local /etc/passwd entry and a Kerberos principal, as well.
So I don't think this will be very useful to you, after all. Sorry
about that. But I do want to suggest a couple of things that might
help:
- Authenticating SSH logins via Kerberos tokens requires some changes
to ssh_config, and possibly sshd_config, as well. If you haven't
modified either the client or server for GSS/Kerberos operations, and
you're not using any special command-line options, that may be part of
your problem.
- Can you post a copy of your /etc/krb5.conf file up here, as well?
In my experience, it's awfully hard to distinguish between errors in
the krb5.conf and pam.d/system_auth.
- I wanted to echo Javier's suggestion about using the 'debug'
parameter to 'pam_krb5'. You can activate it via the 'system_auth'
lines, or via your 'krb5.conf'. I could not have gotten my setup to
work without the debug messages.
-Ryan
More information about the Kerberos
mailing list