Problem using Kerberos for user authentication

[Braden McDaniel]

Ryan Lynch wrote:

[snip]

> There are some differences between our setups. The biggest difference
> appears to be that I'm using 'pam_krb5' in combination with
> 'nss_ldap', because my user/group accounts are stored in LDAP (on an
> MS Active Directory DC). All accounts are either purely local (only
> exist in /etc/passwd, group, and shadow), or purely AD (only exist in
> Kerberos and LDAP)--there are no overlapping cases, where an account
> has a local /etc/passwd entry and a Kerberos principal, as well.

Getting LDAP up and running is the next step for me; in my case, the 
directory will be hosted on this same machine.  So I expect to be adding 
those bits shortly.

>  - Authenticating SSH logins via Kerberos tokens requires some changes
> to ssh_config, and possibly sshd_config, as well. If you haven't
> modified either the client or server for GSS/Kerberos operations, and
> you're not using any special command-line options, that may be part of
> your problem.

ssh appears to be working without me doing anything special in 
sshd_config; my understanding is that once Kerberos is working with PAM, 
the things that can use PAM will Just Work.  I'm attributing successful 
ssh logins to this.

>  - I wanted to echo Javier's suggestion about using the 'debug'
> parameter to 'pam_krb5'. You can activate it via the 'system_auth'
> lines, or via your 'krb5.conf'. I could not have gotten my setup to
> work without the debug messages.

No doubt that will come in handy.  Thanks...

-- 
Braden McDaniel                      e-mail: <braden at endoframe.com>
<http://endoframe.com>               Jabber: <braden at jabber.org>