Single Login with LDAP and Kerberos
Hello,
I have LDAP and kerberos working, with a test user database in place.
If i do a kinit I get the correct tgt and ldap tickets.
I can then do an ldap search on anything (that im supposed to)
ldapwhoami works with and without -x (without yields anonymous)
finger works fine for ldap users, as well as file stats.
It looks like everything is working fine.
so, how the hell do I set up the client so that I can type my LDAP login name and Kerberos password
to log in... it won't let me in unless i create the account on the local machine. I can then log in with my krb5 password. But i want to be able to log in with no account on the local system (i.e. completly relying on LDAP/krb5).
This is debian so that pam conf files are a little screwy.
#common-auth
auth sufficient /tmp/pam_athena_auth.so use_first_pass nullok
auth sufficient pam_krb5.so use_first_pass try_first_pass forwardable
auth sufficient pam_unix.so use_first_pass nullok_secure
#common-account
account required pam_unix.so
#common-session
session optional pam_unix.so
session optional pam_krb5.so
#session optional pam_krb4.so
session optional pam_openafs_session.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0
#common-password
password sufficient pam_unix.so nullok obscure min=4 max=8 md5
password sufficient /lib/security/pam_krb5.so use_authtok
password required pam_deny.so
If no local account exisits /var/log/authlog shows:
error: PAM: Permission denied for illegal user [username] from localhost.localdomain
and i just keep getting password prompts.
I can however log in as any local account with the localpassword.
please help.
thanks
|