Originally posted by jimrt
I have been working the past several months to get unified logins to work between Active Directory (2003 in my case) and RedHat/Solaris.
This is what I have working:
All account information (but not passwords) is stored in our openLDAP directory
All passwords are retrieved from our Windows 2003 domain using kerberos
All Linux and Solaris machines run a special, patched version of OpenSSH. This allows:
passwordless SSH between *nix hosts using a valid kerberos ticket
passwordless SSH from a Windows SSH client that supports GSSAPI
Console login using your Windows username and password works
SAMBA works (using a special patched version or potentially with 3.0.6rc2)
There are a lot of tricks (and hassles) getting these things to work and well and work together. If you want more information, please let me know.
I have a little question and I hope you can help me ...
What Ive got working:
mit-krb5 with pam_krb5 works fine (so I get the tgt at login time)
I can login through pam_krb5 OR pam_unix and I get a tgt if it is pam_krb5 that succeeds
ketabs are setup properly .. I tested it with mit's sserver and sclient.
I added host principals too (for working with OpenSSH)
so far so good..
The connect to other hosts via OpenSSH should
a) be passwordless if I have already a tgt and it should forward the tgt
b) ask for the kerberos passwd if I havent yet a tgt
c) ask for a password for normal unix accounts if user principal doesnt exist in kdc
d) use my PAM configuration
I already achieved b) c) and d)
the only thing to do was to set
and a somewhat tricky PAM configuration
the problem: a)
passwordless logins dont work , neither forwarding tgt's..
I tried to set
but that didnt help..
BTW when uncommenting UsePAM yes
it didnt work either .. but the tgt forwarding seems to work ...
that was only a simple test since I can forget point d) of my requirements
Any hints ?
HAs any of the patches you mentioned to do with this issue ?
Thanx in advance