LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-11-2004, 05:01 PM   #1
hmartin216
LQ Newbie
 
Registered: Aug 2004
Posts: 1

Rep: Reputation: 0
PAM/Kerberos authentication problem


I am trying, unsuccessfully, to authenticate my RH9 system to Active Directory using PAM and the pam_krb5.so module.

In the trace, I can see that the request being sent by the RH9 workstation shows the principal name as <domain>+<user> (e.g. mydomain+myuserid). This format is a function of the winbind configuration in /etc/samba/smb.conf. However, it appears that this is causing Kerberos to think that the domain name is part of the user name.

Any thoughts on what I'm doing wrong?
 
Old 08-15-2004, 05:50 PM   #2
jimrt
Member
 
Registered: Mar 2003
Posts: 32

Rep: Reputation: 15
I have been working the past several months to get unified logins to work between Active Directory (2003 in my case) and RedHat/Solaris.

This is what I have working:

All account information (but not passwords) is stored in our openLDAP directory
All passwords are retrieved from our Windows 2003 domain using kerberos
All Linux and Solaris machines run a special, patched version of OpenSSH. This allows:

passwordless SSH between *nix hosts using a valid kerberos ticket
passwordless SSH from a Windows SSH client that supports GSSAPI

Console login using your Windows username and password works
SAMBA works (using a special patched version or potentially with 3.0.6rc2)

There are a lot of tricks (and hassles) getting these things to work and well and work together. If you want more information, please let me know.
 
Old 03-11-2005, 10:28 PM   #3
dbalsige
LQ Newbie
 
Registered: Mar 2005
Location: Switzerland
Distribution: LinuxFromScratch
Posts: 5

Rep: Reputation: 0
Quote:
Originally posted by jimrt
I have been working the past several months to get unified logins to work between Active Directory (2003 in my case) and RedHat/Solaris.

This is what I have working:

All account information (but not passwords) is stored in our openLDAP directory
All passwords are retrieved from our Windows 2003 domain using kerberos
All Linux and Solaris machines run a special, patched version of OpenSSH. This allows:

passwordless SSH between *nix hosts using a valid kerberos ticket
passwordless SSH from a Windows SSH client that supports GSSAPI

Console login using your Windows username and password works
SAMBA works (using a special patched version or potentially with 3.0.6rc2)

There are a lot of tricks (and hassles) getting these things to work and well and work together. If you want more information, please let me know.
Hi

I have a little question and I hope you can help me ...

What Ive got working:
mit-krb5 with pam_krb5 works fine (so I get the tgt at login time)
I can login through pam_krb5 OR pam_unix and I get a tgt if it is pam_krb5 that succeeds
ketabs are setup properly .. I tested it with mit's sserver and sclient.
I added host principals too (for working with OpenSSH)
so far so good..

the goal:
The connect to other hosts via OpenSSH should
a) be passwordless if I have already a tgt and it should forward the tgt
b) ask for the kerberos passwd if I havent yet a tgt
c) ask for a password for normal unix accounts if user principal doesnt exist in kdc
d) use my PAM configuration

I already achieved b) c) and d)
the only thing to do was to set
UsePAM yes
in /etc/ssh/sshd_config
and a somewhat tricky PAM configuration

the problem: a)
passwordless logins dont work , neither forwarding tgt's..
I tried to set
KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCreds yes
in /etc/ssh/sshd_config
but that didnt help..

BTW when uncommenting UsePAM yes
it didnt work either .. but the tgt forwarding seems to work ...
that was only a simple test since I can forget point d) of my requirements

Any hints ?
HAs any of the patches you mentioned to do with this issue ?

Thanx in advance

Daniel
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
passwordless OpenSSH with MIT-Kerberos and PAM dbalsige Linux - Software 1 11-12-2009 01:12 PM
pam and ldap authentication problem abrb220 Linux - Networking 2 07-31-2005 04:49 PM
suse9.1client W2k ADS kerberos and pam fatcake Linux - Networking 1 06-09-2005 02:27 AM
Active Directory, Kerberos, LDAP, PAM, and nsswitch PenguinPwrdBox Linux - Security 1 06-04-2005 10:56 PM
Kerberos and PAM jimrt Linux - General 2 09-26-2003 07:50 PM


All times are GMT -5. The time now is 10:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration