PAM/Kerberos authentication problem

hmartin216 · 08-11-2004, 04:01 PM

I am trying, unsuccessfully, to authenticate my RH9 system to Active Directory using PAM and the pam_krb5.so module.

In the trace, I can see that the request being sent by the RH9 workstation shows the principal name as <domain>+<user> (e.g. mydomain+myuserid). This format is a function of the winbind configuration in /etc/samba/smb.conf. However, it appears that this is causing Kerberos to think that the domain name is part of the user name.

Any thoughts on what I'm doing wrong?

jimrt · 08-15-2004, 04:50 PM

I have been working the past several months to get unified logins to work between Active Directory (2003 in my case) and RedHat/Solaris.

This is what I have working:

All account information (but not passwords) is stored in our openLDAP directory
All passwords are retrieved from our Windows 2003 domain using kerberos
All Linux and Solaris machines run a special, patched version of OpenSSH. This allows:

passwordless SSH between *nix hosts using a valid kerberos ticket
passwordless SSH from a Windows SSH client that supports GSSAPI

Console login using your Windows username and password works
SAMBA works (using a special patched version or potentially with 3.0.6rc2)

There are a lot of tricks (and hassles) getting these things to work and well and work together. If you want more information, please let me know.

dbalsige · 03-11-2005, 09:28 PM

Quote:

Originally posted by jimrt
I have been working the past several months to get unified logins to work between Active Directory (2003 in my case) and RedHat/Solaris.

This is what I have working:

All account information (but not passwords) is stored in our openLDAP directory
All passwords are retrieved from our Windows 2003 domain using kerberos
All Linux and Solaris machines run a special, patched version of OpenSSH. This allows:

passwordless SSH between *nix hosts using a valid kerberos ticket
passwordless SSH from a Windows SSH client that supports GSSAPI

Console login using your Windows username and password works
SAMBA works (using a special patched version or potentially with 3.0.6rc2)

There are a lot of tricks (and hassles) getting these things to work and well and work together. If you want more information, please let me know.

Hi

I have a little question and I hope you can help me ...

What Ive got working:
mit-krb5 with pam_krb5 works fine (so I get the tgt at login time)
I can login through pam_krb5 OR pam_unix and I get a tgt if it is pam_krb5 that succeeds
ketabs are setup properly .. I tested it with mit's sserver and sclient.
I added host principals too (for working with OpenSSH)
so far so good..

the goal:
The connect to other hosts via OpenSSH should
a) be passwordless if I have already a tgt and it should forward the tgt
b) ask for the kerberos passwd if I havent yet a tgt
c) ask for a password for normal unix accounts if user principal doesnt exist in kdc
d) use my PAM configuration

I already achieved b) c) and d)
the only thing to do was to set
UsePAM yes
in /etc/ssh/sshd_config
and a somewhat tricky PAM configuration

the problem: a)
passwordless logins dont work , neither forwarding tgt's..
I tried to set
KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCreds yes
in /etc/ssh/sshd_config
but that didnt help..

BTW when uncommenting UsePAM yes
it didnt work either .. but the tgt forwarding seems to work ...
that was only a simple test since I can forget point d) of my requirements

Any hints ?
HAs any of the patches you mentioned to do with this issue ?

Thanx in advance

Daniel