LDAP/Kerberos client config

Jaap Winius jwinius at umrk.nl
Tue Jan 26 11:42:04 EST 2010


On Tue, 26 Jan 2010 16:37:37 +0100, mark wrote:

> did you check if the credential cache can be accessed by nscd. E.g., if
> nscd is running as nobody and /tmp/krb5cc_0 belongs to root it will not
> work.

Hi Mark,

Thanks for your reply! On my client system (Debian lenny), k5start 
creates the Kerberos credential cache (/tmp/krb5cc_0) based on the 
Kerberos host principal key and makes it accessible only to root. I know 
that libnss-ldap needs to access it, since it's mentioned in my /etc/
libnss-ldap.conf:

   krb5_ccname FILE:/tmp/krb5cc_0

However, nscd is also running as root, so it should be able to access it. 

In the mean time, I discovered the libsasl2-modules-gssapi-mit package 
was missing and have also added "SASL_MECH GSSAPI" to my LDAP Defaults 
config file (/etc/ldap/ldap.conf). My PAM config looks like this:

   auth      sufficient   pam_unix.so       nullok_secure
   auth      required     pam_krb5.so       use_first_pass

   account   sufficient   pam_unix.so
   account   required     pam_krb5.so

   password  sufficient   pam_unix.so       nullok obscure md5
   password  required     pam_krb5.so       use_first_pass

   session   required     pam_unix.so
   session   required     pam_mkhomedir.so
   session   optional     pam_krb5.so

Also, this is my current libnss-ldap.conf:

   base dc=example,dc=com
   uri ldap://ldapks1.example.com/
   ldap_version 3
   bind_policy soft
   krb5_ccname FILE:/tmp/krb5cc_0

Incidentally, the default for krb5_ccname is "/etc/.ldapcache" -- any 
idea what that's supposed to be about?

... Well, it looks like I'm in luck today, because I've just solved my 
own problem! These lines in my LDAP server's slapd.conf were the culprit:

   access to dn.children="ou=users,dc=example,dc=com"
        attrs=cn,uid
        by * auth

I had added them in a desperate attempt to solve an earlier problem, but 
then stupidly forgot about them once that problem was solved. As soon as 
these lines were removed, my client was able to log in!

Thanks again,

Jaap



More information about the Kerberos mailing list