Barry King wrote:
> I'm looking for a way to use a combination of kerberos & ldap authentication
> for (primarily Fedora 8) Linux workstations. My goal is to have an
> automated install that will allow users to authenticate to kerberos
> immediately after install, without the need to create host principals or
> extract keytabs.
>
> Right now, when I ssh in, it hangs and I get this with debug turned on:
>
> Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: trying
> previously-entered password for 'bking', allowing libkrb5 to prompt for more
> Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: authenticating '
> bking@REALM' to 'krbtgt/REALM@REALM'
> Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]:
> krb5_get_init_creds_password(krbtgt/REALM@REALM returned 0 (Success)
> Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: got result 0
> (Success)
>
> Thoughts?


Your install needs to be done so it creates the keytab and updates the KDC.
This requires the admin doing the install to have privileges to create
host principals in the KDC. Or you need to create the principals in the KDC
ahead of time and provide the keytab to the admin doing the installer.

There is no way you would want ordinary users creating principals in the KDC.

>
> My (sanitized) krb5.conf:
>
> [logging]
> default = SYSLOG:ERR:USER
>
> [libdefaults]
> default_realm = REALM
> dns_lookup_kdc = false
> dns_lookup_realm = false
> noaddresses = true
> validate = false
>
> [realms]
> EXPERTCITY.COM = {
> kdc = names1.realm
> master_kdc = names0.realm
> admin_server = names0.realm
> auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$//
> auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$//
>
> auth_to_local = DEFAULT
> }
>
> [domain_realm]
> .realm = REALM
>
> [appdefaults]
> pam = {
> forwardable = true
> }
>
> My pam.d/system-auth:
>
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth
> nullok
> auth sufficient /lib/security/$ISA/pam_krb5.so
> minimum_uid=3000 use_authtok debug
> #auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient /lib/security/$ISA/pam_localuser.so
> account sufficient /lib/security/$ISA/pam_krb5.so debug
> account sufficient /lib/security/$ISA/pam_ldap.so debug
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
> debug
> password required /lib/security/$ISA/pam_deny.so debug
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> #session required /lib/security/$ISA/pam_mkhomedir.so
> skel=/etc/skel/ umask=0022
> sauth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth
> nullok
> auth sufficient /lib/security/$ISA/pam_krb5.so
> minimum_uid=3000 use_authtok debug
> #auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient /lib/security/$ISA/pam_localuser.so
> account sufficient /lib/security/$ISA/pam_krb5.so debug
> account sufficient /lib/security/$ISA/pam_ldap.so debug
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
> debug
> password required /lib/security/$ISA/pam_deny.so debug
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> #session required /lib/security/$ISA/pam_mkhomedir.so
> skel=/etc/skel/ umask=0022
> session optional /lib/security/$ISA/pam_krb5.so debug
> session optional /lib/security/$ISA/pam_ldap.so debug
> session optional /lib/security/$ISA/pam_krb5.so debug
> session optional /lib/security/$ISA/pam_ldap.so debug
>
> Any ideas? Is what I'm trying even possible?
>
> Thanks,
>


--

Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444