Ryan Lynch wrote: [snip]
> There are some differences between our setups. The biggest difference > appears to be that I'm using 'pam_krb5' in combination with > 'nss_ldap', because my user/group accounts are stored in LDAP (on an > MS Active Directory DC). All accounts are either purely local (only > exist in /etc/passwd, group, and shadow), or purely AD (only exist in > Kerberos and LDAP)--there are no overlapping cases, where an account > has a local /etc/passwd entry and a Kerberos principal, as well. Getting LDAP up and running is the next step for me; in my case, the directory will be hosted on this same machine. So I expect to be adding those bits shortly. > - Authenticating SSH logins via Kerberos tokens requires some changes > to ssh_config, and possibly sshd_config, as well. If you haven't > modified either the client or server for GSS/Kerberos operations, and > you're not using any special command-line options, that may be part of > your problem. ssh appears to be working without me doing anything special in sshd_config; my understanding is that once Kerberos is working with PAM, the things that can use PAM will Just Work. I'm attributing successful ssh logins to this. > - I wanted to echo Javier's suggestion about using the 'debug' > parameter to 'pam_krb5'. You can activate it via the 'system_auth' > lines, or via your 'krb5.conf'. I could not have gotten my setup to > work without the debug messages. No doubt that will come in handy. Thanks... -- Braden McDaniel e-mail: <bra...@endoframe.com> <http://endoframe.com> Jabber: <bra...@jabber.org> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos