cannot authenticate to AD after Kerberos client install
 

I would like to be able to authenticate to Active Directory from Linux, rather than use the local etc/passwd method. I have setup the client install for Kerberos on SuSE Linux 9.1 ES. I am able to bring up a command prompt and execute "kinit userid", and successfully authenticate to AD.

I did the standard install through Yast.
- I selected the Kerberos client install, and put in my domain, as well as my dns, as asked. My etc/security/pam_unix2.conf is as follows:

auth: use_krb5 nullok
account: use_krb5
password: use_krb5 nullok
session: none
This file gets modified from the 'Yast Install Kerberos client'.

After rebooting the linux server, I cannot enter an AD userid (I get "Login failed"). I also get the following log entries in /var/log/messages

pam_krb5: unable to determine uid/gid for user
pam_krb5: authentication fails for 'xxxxxx'
pam_krb5: pam_sm_authenticate returning 10 (User not known to the underlying authentication module)

I can only enter ids that exist in etc/local. Once logged in (using an etc/passwd id) I can then run kinit and authenticate to AD. Any ideas how to get my linux server to allow initial authentication to AD form the login prompt?

Thanks in advance,

Bret

You could run winbind on your system. Kerberos only authenticates users and does not provide user information like uid, gid, home directory, login shell, etc. Information on winbind can be found on www.samba.org.

You can also look up services for unix as this will allow you to add unix schema attributes into your active directory. This may not be desirable as the schema attributes cannot be removed once the schema is extended.

Sid.

Got the same issues as you Bret
 

Bret;
Have you got this working by now? I can also use kinit fine but logging on is another story. Somehow authentication just doesn't go to the ADS server.

Thanks


Later

Wrong forum guys...this is a security forum ...a Samba forum should help yo much better but still ..Yeah winbindd needs to be running ...

This is all you need in your /etc/krb5.conf :-

If kinit is working then you need to run net ads join...to add ur machine into the domain so you can access other Windows machines.You need domain admin rights to do this.

Cheers
Arvind
p.s....Try and move your thread out of here into a different forum Youll get more help there...

Now it works! Here's what I did.
 

How to setup SuSE Linux authentication to use Active Directory

1) From the linux desktop, start YaST
2) Select [Networking Services]
a. Select [Kerberos Client]
i. Select radio button [Use Kerberos]
ii. Basic Kerberos Settings
1. Default Domain: YOURDOMAIN.COM
2. Default Realm: YOURDOMAIN.COM
3. KDC Server Address: windowsdc.yourdomain.com
4. CLICK [Finish]
(this dialog will modify /etc/krb5.conf)

3) From a command prompt
a. Kinit userid (where userid is your 5 digit network id)
You will be prompted for your password
eg. 12345@YOURDOMAIN.COM’s Password:

your response will be:
kinit: NOTICE: ticket renewable lifetime is 1 week

4) Once you have verified the Kerberos client set-up is working, you will need to tie the linux login screen to Kerberos.
a. Edit the /etc/security/pam_unix2.conf file. Add the following lines:

auth: use_krb5 nullok
account: use_krb5
password: use_krb5 nullok
session: none

5) Add user manually to /etc/passwd (make sure you use a unique uid!!!!)

12345:x:1002:100:Joe Geeko:/home/12345:/bin/bash

6) Create user’s home directory

cp –R /etc/skel /home/12345

7) Change ownership to new user

chown –R 12345. /home/12345

8) you can now logout and login with your new Active Directory credentials.

note: the userids I use are numeric, and must be added manually to /etc/passwd. If you have userids that don't start with a numeric, you will be able to use YaST or useradd.

I did not need to install winbind or samba. I also didn't need to do a net ads join.

These instructions are simply designed to allow you to use your AD user id to authenticate to linux.