-   Linux - Newbie (
-   -   Local login via kerberos authentication (

someshpr 07-06-2009 04:38 PM

Local login via kerberos authentication
I am new to LQ, and Linux system administration!

In our office we log in to our local machines via a remote kerberos authentication server (, so we actually don't need to create any local login on any of the machines. The home directories are automounted via nfs fileserver.
Now we have a new machines with Mandriva. I want to setup the similar logon procedure for this machine. I copied the content of /etc/krb5.conf file from one of our old machine to the new machine. But still I cannot login without a local login. What are the things I need to change to achieve this?
The content of /etc/krb5.conf is


default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm =
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes


[domain_realm] = =
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
What more info should I post, if any?

Thanks in advance!
-- Somesh

acid_kewpie 07-07-2009 04:54 PM

My kerberos isn't too hot, but firstly it's for authentication only, not user information, and that's the first step. You need to obtain a POSIX compliant user account, e.g. from ldap, nis or such like, and then use that account to authenticate with kerberos and get a ticket. So on other linux boxes, check /etc/nsswitch.conf to start off by seeing where they get their user info from.

someshpr 07-08-2009 09:23 AM

two more questions!

Originally Posted by acid_kewpie (Post 3600164)
...check /etc/nsswitch.conf to start off by seeing where they get their user info from.

Thanks, acid_kewpie!
I checked the nsswitch.conf and ldap.conf found

nsswitch: (only uncommented lines)

passwd: files ldap [NOTFOUND=return]
shadow: files
group: files ldap [NOTFOUND=return]
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
ldap: (only uncommented lines)

base dc=abc,dc=edu
uri ldap://
timelimit 5
bind_timelimit 5
bind_policy soft
idle_timelimit 3600
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
nss_default_attribute_value cn Anonymous
Before I change nsswitch.conf and ldap.conf in the new machine, I just want to know:

a) The reference files are from RHEL5 installation where both ldap.conf and nsswitch.conf are in /etc/; but the new machine, which has Mandriva, has nsswitch.conf in /etc/ and ldap.conf in /etc/open-ldap/. So do this relatively different path of ldap.conf should be incorporated in nsswitch.conf, i.e., should I change nsswitch.conf as

passwd: files open-ldap/ldap [NOTFOUND=return]
b) Will I be able to log in using local login if ldap server is not up or I my ldap.conf has some error?

Thanks in advance,

acid_kewpie 07-08-2009 10:54 AM

/etc/ldap and /etc/openldap/ldap.conf are DIFFERENT files, not to be confused.

you'll be able to use local files still yes. Most notably as the local files are listed first it won't even go near ldap if it finds it. Run "getent passwd" to dump the list of users known to the system, that should show all of /etc/passwd followed by the ldap accounts if it's working ok.

someshpr 07-08-2009 01:57 PM

connects to ldap server but cannot log in!
Thanks Chris for the clarifications.

So I did this:
1. I did a

urpmi nss_ldap
on the Mandriva (Offcial 2008) as there was no ldap.conf in the /etc/
2. I copied nsswitch.conf, ldap.conf and krb5.conf files from old working machine (RHEL5) and pasted them on to the new Mandriva /etc/
3. I did

urpmi nscd
on new machine and overwrote the nscd.conf with the nscd.conf from old one (RHEL5)
4. I ran

getent passwd; getent groups
and it showed all the local groups/users as well as groups/users via ldap. (Though the list of passwd seemed truncated, as I know there are thousands of users on the ldap server).

So I tried to login using central login, but permission denied! I compared the output of getent passwd and getent groups for the new Mandriva and old working RHEL5. They seemed to be in line, though RHEL one has few more local entries than Mandriva. Should I post the local part of the getent output? Since the output is large and I'm not sure whether they'll help, I am not including them in this post. But if you think the clue lies there, I'll post them.

Any idea, what I might be missing?

Thanks in advance,
-- Somesh

someshpr 12-15-2009 10:25 AM

Update -- solved
UPDATE -- Solved. Local time was wrong! Silly me!

All times are GMT -5. The time now is 11:03 PM.