LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-06-2009, 04:38 PM   #1
someshpr
Member
 
Registered: Jul 2009
Location: WI, USA
Distribution: Debian 8, Ubuntu 16.04, CentOS 7
Posts: 143

Rep: Reputation: 28
Local login via kerberos authentication


Hi,
I am new to LQ, and Linux system administration!

In our office we log in to our local machines via a remote kerberos authentication server (kerb.abc.edu), so we actually don't need to create any local login on any of the machines. The home directories are automounted via nfs fileserver.
Now we have a new machines with Mandriva. I want to setup the similar logon procedure for this machine. I copied the content of /etc/krb5.conf file from one of our old machine to the new machine. But still I cannot login without a local login. What are the things I need to change to achieve this?
The content of /etc/krb5.conf is

Quote:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = kerb.abc.edu
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]

[domain_realm]

kerb.abc.edu = kerb.abc.edu
.kerb.abc.edu = kerb.abc.edu
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
What more info should I post, if any?

Thanks in advance!
-- Somesh
 
Old 07-07-2009, 04:54 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
My kerberos isn't too hot, but firstly it's for authentication only, not user information, and that's the first step. You need to obtain a POSIX compliant user account, e.g. from ldap, nis or such like, and then use that account to authenticate with kerberos and get a ticket. So on other linux boxes, check /etc/nsswitch.conf to start off by seeing where they get their user info from.
 
1 members found this post helpful.
Old 07-08-2009, 09:23 AM   #3
someshpr
Member
 
Registered: Jul 2009
Location: WI, USA
Distribution: Debian 8, Ubuntu 16.04, CentOS 7
Posts: 143

Original Poster
Rep: Reputation: 28
two more questions!

Quote:
Originally Posted by acid_kewpie View Post
...check /etc/nsswitch.conf to start off by seeing where they get their user info from.
Thanks, acid_kewpie!
I checked the nsswitch.conf and ldap.conf found

nsswitch: (only uncommented lines)
Quote:
passwd: files ldap [NOTFOUND=return]
shadow: files
group: files ldap [NOTFOUND=return]
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
ldap: (only uncommented lines)
Quote:
base dc=abc,dc=edu
uri ldap://xyz.mn.abc.edu
timelimit 5
bind_timelimit 5
bind_policy soft
idle_timelimit 3600
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
nss_default_attribute_value cn Anonymous
Before I change nsswitch.conf and ldap.conf in the new machine, I just want to know:

a) The reference files are from RHEL5 installation where both ldap.conf and nsswitch.conf are in /etc/; but the new machine, which has Mandriva, has nsswitch.conf in /etc/ and ldap.conf in /etc/open-ldap/. So do this relatively different path of ldap.conf should be incorporated in nsswitch.conf, i.e., should I change nsswitch.conf as
Quote:
passwd: files open-ldap/ldap [NOTFOUND=return]
...
b) Will I be able to log in using local login if ldap server is not up or I my ldap.conf has some error?

Thanks in advance,
--Somesh
 
Old 07-08-2009, 10:54 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
/etc/ldap and /etc/openldap/ldap.conf are DIFFERENT files, not to be confused.

you'll be able to use local files still yes. Most notably as the local files are listed first it won't even go near ldap if it finds it. Run "getent passwd" to dump the list of users known to the system, that should show all of /etc/passwd followed by the ldap accounts if it's working ok.
 
1 members found this post helpful.
Old 07-08-2009, 01:57 PM   #5
someshpr
Member
 
Registered: Jul 2009
Location: WI, USA
Distribution: Debian 8, Ubuntu 16.04, CentOS 7
Posts: 143

Original Poster
Rep: Reputation: 28
connects to ldap server but cannot log in!

Thanks Chris for the clarifications.

So I did this:
1. I did a
Code:
urpmi nss_ldap
on the Mandriva (Offcial 2008) as there was no ldap.conf in the /etc/
2. I copied nsswitch.conf, ldap.conf and krb5.conf files from old working machine (RHEL5) and pasted them on to the new Mandriva /etc/
3. I did
Code:
urpmi nscd
on new machine and overwrote the nscd.conf with the nscd.conf from old one (RHEL5)
4. I ran
Code:
getent passwd; getent groups
and it showed all the local groups/users as well as groups/users via ldap. (Though the list of passwd seemed truncated, as I know there are thousands of users on the ldap server).

So I tried to login using central login, but permission denied! I compared the output of getent passwd and getent groups for the new Mandriva and old working RHEL5. They seemed to be in line, though RHEL one has few more local entries than Mandriva. Should I post the local part of the getent output? Since the output is large and I'm not sure whether they'll help, I am not including them in this post. But if you think the clue lies there, I'll post them.

Any idea, what I might be missing?

Thanks in advance,
-- Somesh
 
Old 12-15-2009, 10:25 AM   #6
someshpr
Member
 
Registered: Jul 2009
Location: WI, USA
Distribution: Debian 8, Ubuntu 16.04, CentOS 7
Posts: 143

Original Poster
Rep: Reputation: 28
Smile Update -- solved

UPDATE -- Solved. Local time was wrong! Silly me!
 
  


Reply

Tags
kerberos, ldap, mandriva


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
RHEL5: Kerberos Authentication zachet Linux - Newbie 2 05-26-2009 01:08 PM
using kerberos for login authentication narendra.pant Red Hat 0 09-11-2007 03:31 PM
Kerberos Authentication Comatose51 Linux - Security 2 08-30-2005 06:44 AM
Kerberos Authentication cwinter00 Linux - Security 1 06-16-2005 12:56 PM
Authentication via Kerberos grubjo Linux - Security 0 07-30-2004 11:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration