I'm looking for a way to use a combination of kerberos & ldap authentication for (primarily Fedora 8) Linux workstations. My goal is to have an automated install that will allow users to authenticate to kerberos immediately after install, without the need to create host principals or extract keytabs.
Right now, when I ssh in, it hangs and I get this with debug turned on: Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: trying previously-entered password for 'bking', allowing libkrb5 to prompt for more Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: authenticating ' [EMAIL PROTECTED]' to 'krbtgt/[EMAIL PROTECTED]' Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: krb5_get_init_creds_password(krbtgt/[EMAIL PROTECTED] returned 0 (Success) Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: got result 0 (Success) Thoughts? My (sanitized) krb5.conf: [logging] default = SYSLOG:ERR:USER [libdefaults] default_realm = REALM dns_lookup_kdc = false dns_lookup_realm = false noaddresses = true validate = false [realms] EXPERTCITY.COM = { kdc = names1.realm master_kdc = names0.realm admin_server = names0.realm auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$// auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$// auth_to_local = DEFAULT } [domain_realm] .realm = REALM [appdefaults] pam = { forwardable = true } My pam.d/system-auth: auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so minimum_uid=3000 use_authtok debug #auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_localuser.so account sufficient /lib/security/$ISA/pam_krb5.so debug account sufficient /lib/security/$ISA/pam_ldap.so debug account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so use_authtok debug password required /lib/security/$ISA/pam_deny.so debug session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so #session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0022 sauth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so minimum_uid=3000 use_authtok debug #auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_localuser.so account sufficient /lib/security/$ISA/pam_krb5.so debug account sufficient /lib/security/$ISA/pam_ldap.so debug account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so use_authtok debug password required /lib/security/$ISA/pam_deny.so debug session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so #session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional /lib/security/$ISA/pam_krb5.so debug session optional /lib/security/$ISA/pam_ldap.so debug session optional /lib/security/$ISA/pam_krb5.so debug session optional /lib/security/$ISA/pam_ldap.so debug Any ideas? Is what I'm trying even possible? Thanks, -- Barry King [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos