LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 07-31-2007, 03:19 PM   #1
licht
Member
 
Registered: Mar 2005
Location: chicago
Distribution: red hat 9.0
Posts: 59

Rep: Reputation: 15
Question Kerberos only authenticates local account?


A principal is created in Kerberos REALM as: "SOMEONE@COMPANY.COM".

NOTE: no host name is used!

I want to login by giving user name "SOMEONE" w/ correct password to login to a machine that has access to KDC. But this fails and it seems ONLY principals that are also accounts on the local machine can log on to the machine.

Here's the error message:

Quote:
pam_krb5[4163]: error resolving user name 'SOMEONE' to uid/gid pair
kdm: :1[4163]: pam_krb5[4163]: error getting information about 'SOMEONE'
kdm: :1[4163]: pam_warn(xdm:auth): function=[pam_sm_authenticate] service=[xdm] terminal=[:1] user=[SOMEONE] ruser=[<unknown>] rhost=[<unknown>]
It is known to me that OpenLDAP can allow a user to login on different machines that the user has no local account on any of those machines at all. So, I think KERBEROS should support this as well. I guess the problem might be caused by wrong PAM rules? Here is it:

Quote:
#common-auth
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_krb5.so use_first_pass

#common-account
account requisite pam_unix2.so
account required pam_krb5.so use_first_pass

#common-password
password requisite pam_pwcheck.so nullok cracklib
password sufficient pam_unix2.so nullok use_authtok
password required pam_krb5.so use_authtok

#common-session
session required pam_limits.so
session required pam_unix2.so
session optional pam_krb5.so
session optional pam_umask.so
Or how to allow a user to login (through pam_krb5) on different machines w/o creating local accounts in advance at all?

Thanks!

Last edited by licht; 07-31-2007 at 03:35 PM.
 
Old 08-01-2007, 12:31 PM   #2
lsteacke
Member
 
Registered: Jul 2007
Distribution: Ubuntu
Posts: 99

Rep: Reputation: 16
Are you using ldap to query your AD server? In many cases ldap queries the AD server, and looks for the user there. However from what I gather your goal here is to have accounts that exist say, on your box, and that don't exist in the AD tree, but you want to use this login for other machines? Have you tried to recieve a kerberos ticket?

Try these commands

# kinit SOMEONE
Password for SOMEONE@COMPANY.COM: ...

# klist
Ticket cache: FILE:/tmp/krb5cc_1003
Default principal: SOMEONE@COMPANY.COM

Let me know if this works.
 
Old 08-01-2007, 12:54 PM   #3
licht
Member
 
Registered: Mar 2005
Location: chicago
Distribution: red hat 9.0
Posts: 59

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by lsteacke
Are you using ldap to query your AD server? In many cases ldap queries the AD server, and looks for the user there. However from what I gather your goal here is to have accounts that exist say, on your box, and that don't exist in the AD tree, but you want to use this login for other machines? Have you tried to recieve a kerberos ticket?

Try these commands

# kinit SOMEONE
Password for SOMEONE@COMPANY.COM: ...

# klist
Ticket cache: FILE:/tmp/krb5cc_1003
Default principal: SOMEONE@COMPANY.COM

Let me know if this works.
I'm not using Active Directory. All this is on linux: OpenLDAP and MIT Kerberos and PAM modules.

Anyway, kerberos on my machine works. There is no problem to kinit, klist and as I said in the question, it also works for login (authentication and issuing tickets) except that it only lets a principal that is also a local linux account to login.

goal 1: use kerberos for login on different linux machines (no need to repeatedly create the same account on them)

goal 2 (better): use openldap for account but it uses kerberos for password and issuing tickets. (there is no problem I can use pam_ldap for using openldap for authentication. but it uses password stored in ldap and no tickets issued upon a successful login)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Xlock - Never authenticates first try kellinjar Linux - Software 3 07-08-2008 06:58 PM
local account to AD - moveuser.exe utility how to? neocontrol General 2 03-29-2007 10:29 AM
Postfix: Need to deliver all local mail to 1 account, then forward OneBinary Linux - Software 3 01-05-2006 05:49 PM
samba and kerberos (create a computer account in Win2k AD) shane200_ Linux - Networking 0 01-04-2005 10:27 AM
restricting an email account to receive mails from local users only dm0nkz Linux - Security 2 09-03-2004 03:08 AM


All times are GMT -5. The time now is 03:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration