Problem using Kerberos for user authentication

Braden McDaniel braden at endoframe.com
Wed Nov 11 14:18:11 EST 2009


On Wed, 2009-11-11 at 16:46 +0100, Javier Palacios wrote: 
> > I'm trying to get off the ground setting up Kerberos on a Fedora 11 box.
> > I've attempted to follow the instructions here:
> >        http://aput.net/~jheiss/krbldap/howto.html
> 
> That is a pretty old howto (probably older than fedora).

I noticed that.  I just haven't come across something of this nature
more recent.

> > I've tried both changing the password field for the user in /etc/shadow
> > to "*K*" (as mentioned in the howto) and removing the user's entry
> > in /etc/shadow altogether--in both cases login fails.
> 
> The '*K*' thing is probably innacurate. I've never used, and had
> success in debian, fedora and RHEL. And removing the user entry in
> /etc/shadow (without changes in /etc/passwd) should produce a
> non-usable account, either with kerberos or whichever auth method.

Okay.

> > Any ideas what the problem might be? Or where else I should be looking
> > to find out?
> 
> Just in case, you need to be able to `kinit username` (without the /admin).

Argh.  I missed this line in the howto:

      * Create additional username and username/admin principals as
        necessary using kadmin

Having missed that, I made the incorrect assumption that adding
"braden/admin" would have the effect of making "braden" available for
system login.

Now that I've added "braden" principal and changed /etc/shadow to have
"NP" in the password field for this user (thanks, Douglas), login is
working.

Thanks, Javier and Steve, too.  The feedback I've gotten here is bound
to help me with the next problem.

-- 
Braden McDaniel <braden at endoframe.com>




More information about the Kerberos mailing list