LinuxQuestions.org - Kerberos only authenticates local account?

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - Kerberos only authenticates local account? (https://www.linuxquestions.org/questions/linux-networking-3/kerberos-only-authenticates-local-account-573738/)

Kerberos only authenticates local account?

A principal is created in Kerberos REALM as: "SOMEONE@COMPANY.COM".

NOTE: no host name is used!

I want to login by giving user name "SOMEONE" w/ correct password to login to a machine that has access to KDC. But this fails and it seems ONLY principals that are also accounts on the local machine can log on to the machine.

Here's the error message:

Quote:

pam_krb5[4163]: error resolving user name 'SOMEONE' to uid/gid pair
kdm: :1[4163]: pam_krb5[4163]: error getting information about 'SOMEONE'
kdm: :1[4163]: pam_warn(xdm:auth): function=[pam_sm_authenticate] service=[xdm] terminal=[:1] user=[SOMEONE] ruser=[<unknown>] rhost=[<unknown>]

It is known to me that OpenLDAP can allow a user to login on different machines that the user has no local account on any of those machines at all. So, I think KERBEROS should support this as well. I guess the problem might be caused by wrong PAM rules? Here is it:

Quote:

#common-auth
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_krb5.so use_first_pass

#common-account
account requisite pam_unix2.so
account required pam_krb5.so use_first_pass

#common-password
password requisite pam_pwcheck.so nullok cracklib
password sufficient pam_unix2.so nullok use_authtok
password required pam_krb5.so use_authtok

#common-session
session required pam_limits.so
session required pam_unix2.so
session optional pam_krb5.so
session optional pam_umask.so

Or how to allow a user to login (through pam_krb5) on different machines w/o creating local accounts in advance at all?

Thanks!

Are you using ldap to query your AD server? In many cases ldap queries the AD server, and looks for the user there. However from what I gather your goal here is to have accounts that exist say, on your box, and that don't exist in the AD tree, but you want to use this login for other machines? Have you tried to recieve a kerberos ticket?

Try these commands

# kinit SOMEONE
Password for SOMEONE@COMPANY.COM: ...

# klist
Ticket cache: FILE:/tmp/krb5cc_1003
Default principal: SOMEONE@COMPANY.COM

Let me know if this works.

Quote:

Originally Posted by lsteacke

I'm not using Active Directory. All this is on linux: OpenLDAP and MIT Kerberos and PAM modules.

Anyway, kerberos on my machine works. There is no problem to kinit, klist and as I said in the question, it also works for login (authentication and issuing tickets) except that it only lets a principal that is also a local linux account to login.

goal 1: use kerberos for login on different linux machines (no need to repeatedly create the same account on them)

goal 2 (better): use openldap for account but it uses kerberos for password and issuing tickets. (there is no problem I can use pam_ldap for using openldap for authentication. but it uses password stored in ldap and no tickets issued upon a successful login)