f



Trouble authenticating with Kerberos & LDAP - (kerberos on w2k3 AD server, ldap on openldap unix)

I've been very frustrated trying to get this to work.  We are trying to
use a windows 2003 server as our Kerberos server, along with our
openldap on solaris as our directory server.  The machines we want to
authenticate on are all Solaris 9.

The ldap tree is fully populated, and working properly.  With our
current nsswitch.conf, logins work using the ldap directory (with
posixAccount & shadowAccount records), as does a getent passwd
<ldapusername>.
Also, we have our Windows 2003 server's directory setup with named
users, and with our current pam.conf, we can authenticate against
kerberos if we have a local passwd entry for that user.  However, if we
remove the local passwd entry, I can't authenticate.

I've already added keytab entries for the ldap host, ldap server
(host/hostname & ldap/hostname), and the server I'm trying to login to.
 I used FQDN's in all my ktpass.exe key generations, but I'm noticing
that most of our machines have short hostnames in their
/etc/hostname.intN files.  DNS resolution does work and returns a
fqdn...

Any ideas what I'm doing wrong here?  A tcpdump reveals that a failed
login attempt talks to both the ldap & kerberos servers, but doesn't
log me in.  Below is my pam.conf.

thanks!
-Steve R.


# Authentication
#
# passwd command (explicit because of a different authentication
module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# Default definition for Authentication management
# Used when service name is not explicitly mentioned for authentication
#   management
#
other   auth requisite          pam_authtok_get.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_krb5.so.1 use_first_pass
#
# Account
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
# See notes about pam_krb5 in "other" section below
cron    account optional        pam_krb5.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
# According to the pam_krb5 man page, this checks for password
expiration.
# I'm not sure this does anything since I've flagged it as optional.
# I'm not sure if I can make it required because of root.
other   account optional        pam_krb5.so.1
#
# Session
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other   session optional        pam_krb5.so.1
other   session required        pam_unix_session.so.1
#
# Password
#
# (Don't list pam_krb5 here, this section is only for root.  Regular
# users must use the centralized department password changing
mechanism.)
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password
management
#
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1

0
stevendavidruiz
10/5/2005 4:07:14 PM
comp.unix.admin 2890 articles. 1 followers. Post Follow

1 Replies
977 Views

Similar Articles

[PageSpeed] 46

Never mind.  Had to add session and account sections for ldap, and
remove the kerberos stuff there.  Works great.

0
stevendavidruiz
10/7/2005 4:35:28 AM
Reply: