FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 01-26-2010, 11:23 AM
 
Default Kerberos integration in directory server

Hi,

Got some issues regarding Kerberos and Directory Server and hope someone can help me out.
Used these for the configiruation :
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html
http://www.redhat.com/docs/manuals/dir-server/8.1/install/index.html

Server : CentOS 5.4 with Kerberos and Directory Server installed
Client : CentOS 5.4

I use putty to connect to the client, which authenticates against the server.
Using Kerberos or LDAP worked perfectly (using system-config-authentication on the client for configuration)

The only thing that doesn't seem to work is the kerberized version of the login via LDAP on the directory Server. Shouldn't I get a Kerberos ticket for that ? If I activate kerberos AND ldap in system-config-authentication it fails :

Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): check pass; user unknown
Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
Jan 25 13:24:59 monarch sshd[3947]: pam_succeed_if(sshd:auth): error retrieving information about user testuser
Jan 25 13:25:01 monarch sshd[3947]: Failed password for invalid user testuser from 192.168.0.1 port 1142 ssh2

I followed the instructions here :
http://directory.fedoraproject.org/wiki/Howto:Kerberos

Maybe I just didn't get it

Thanks in advance,

Peter
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-26-2010, 01:59 PM
Dan Burkland
 
Default Kerberos integration in directory server

*> -----Original Message-----
> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
> Behalf Of nimmermehr@chello.at
> Sent: Tuesday, January 26, 2010 6:23 AM
> To: centos@centos.org
> Subject: [CentOS] Kerberos integration in directory server
>
> Hi,
>
> Got some issues regarding Kerberos and Directory Server and hope someone
> can help me out.
> Used these for the configiruation :
> http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html
> http://www.redhat.com/docs/manuals/dir-server/8.1/install/index.html
>
> Server : CentOS 5.4 with Kerberos and Directory Server installed
> Client : CentOS 5.4
>
> I use putty to connect to the client, which authenticates against the
> server.
> Using Kerberos or LDAP worked perfectly (using system-config-
> authentication on the client for configuration)
>
> The only thing that doesn't seem to work is the kerberized version of the
> login via LDAP on the directory Server. Shouldn't I get a Kerberos ticket
> for that ? If I activate kerberos AND ldap in system-config-authentication
> it fails :
>
> Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): check pass; user
> unknown
> Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
> Jan 25 13:24:59 monarch sshd[3947]: pam_succeed_if(sshd:auth): error
> retrieving information about user testuser
> Jan 25 13:25:01 monarch sshd[3947]: Failed password for invalid user
> testuser from 192.168.0.1 port 1142 ssh2
>
> I followed the instructions here :
> http://directory.fedoraproject.org/wiki/Howto:Kerberos
>
> Maybe I just didn't get it
>
> Thanks in advance,
>
> Peter
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

My setup is a tad different than yours in that I integrated MIT Kerberos with OpenLDAP. While our configurations are different I'm sure you're trying for kerberized logins (System authenticates against Kerberos and pulls account information from LDAP). If so here are some items you may want to verify you have included in your system-auth config file.

Auth sufficient pam_krb5.so use_first_pass
Auth sufficient pam_unix.so nullok try_first_pass

Account sufficient pam_ldap.so
Account required pam_unix.so

Password sufficient pam_krb5.so
Password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authok

Session optional pam_keyinit.so revoke
Session optional pam_krb5.so

Dan
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-27-2010, 11:29 AM
 
Default Kerberos integration in directory server

> > -----Original Message-----
>> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
>> Behalf Of nimmermehr at chello.at
>> Sent: Tuesday, January 26, 2010 6:23 AM
>> To: centos at centos.org
>> Subject: [CentOS] Kerberos integration in directory server
>>
>> Hi,
>>
>> Got some issues regarding Kerberos and Directory Server and hope someone
>> can help me out.
>> Used these for the configiruation :
>> http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html
>> http://www.redhat.com/docs/manuals/dir-server/8.1/install/index.html
>>
>> Server : CentOS 5.4 with Kerberos and Directory Server installed
>> Client : CentOS 5.4
>>
>> I use putty to connect to the client, which authenticates against the
>> server.
>> Using Kerberos or LDAP worked perfectly (using system-config-
>> authentication on the client for configuration)
>>
>> The only thing that doesn't seem to work is the kerberized version of the
>> login via LDAP on the directory Server. Shouldn't I get a Kerberos ticket
>> for that ? If I activate kerberos AND ldap in system-config-authentication
>> it fails :
>>
>> Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): check pass; user
>> unknown
>> Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
>> Jan 25 13:24:59 monarch sshd[3947]: pam_succeed_if(sshd:auth): error
>> retrieving information about user testuser
>> Jan 25 13:25:01 monarch sshd[3947]: Failed password for invalid user
>> testuser from 192.168.0.1 port 1142 ssh2
>>
>> I followed the instructions here :
>> http://directory.fedoraproject.org/wiki/Howto:Kerberos
>>
>> Maybe I just didn't get it
>>
>> Thanks in advance,
>>
>> Peter
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos

>My setup is a tad different than yours in that I integrated MIT Kerberos with OpenLDAP. While our configurations are different I'm sure >you're trying for kerberized logins (System authenticates against Kerberos and pulls account information from LDAP). If so here are >some items you may want to verify you have included in your system-auth config file.

>Auth sufficient pam_krb5.so use_first_pass
>Auth sufficient pam_unix.so nullok try_first_pass

>Account sufficient pam_ldap.so
>Account required pam_unix.so

>Password sufficient pam_krb5.so
>Password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authok

>Session optional pam_keyinit.so revoke
>Session optional pam_krb5.so

>Dan

Just to see if I understood it correctly :
It is mandatory that every LDAP-User has a functional Kerberos-login (user and PW). Is it possible for such a user to access a server that only has ldap for authentication and checks against the LDAP-Server ?

About testing : How can I check if the information is pulled out of ldap ?

Thanks in advance

Peter
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-27-2010, 01:08 PM
Dan Burkland
 
Default Kerberos integration in directory server

> -----Original Message-----
> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
> Behalf Of nimmermehr@chello.at
> Sent: Wednesday, January 27, 2010 6:29 AM
> To: centos@centos.org
> Subject: [CentOS] Kerberos integration in directory server
>
> > > -----Original Message-----
> >> From: centos-bounces at centos.org [mailto:centos-bounces at
> centos.org] On
> >> Behalf Of nimmermehr at chello.at
> >> Sent: Tuesday, January 26, 2010 6:23 AM
> >> To: centos at centos.org
> >> Subject: [CentOS] Kerberos integration in directory server
> >>
> >> Hi,
> >>
> >> Got some issues regarding Kerberos and Directory Server and hope
> someone
> >> can help me out.
> >> Used these for the configiruation :
> >> http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-
> kerberos.html
> >> http://www.redhat.com/docs/manuals/dir-server/8.1/install/index.html
> >>
> >> Server : CentOS 5.4 with Kerberos and Directory Server installed
> >> Client : CentOS 5.4
> >>
> >> I use putty to connect to the client, which authenticates against the
> >> server.
> >> Using Kerberos or LDAP worked perfectly (using system-config-
> >> authentication on the client for configuration)
> >>
> >> The only thing that doesn't seem to work is the kerberized version of
> the
> >> login via LDAP on the directory Server. Shouldn't I get a Kerberos
> ticket
> >> for that ? If I activate kerberos AND ldap in system-config-
> authentication
> >> it fails :
> >>
> >> Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): check pass;
> user
> >> unknown
> >> Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): authentication
> >> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
> >> Jan 25 13:24:59 monarch sshd[3947]: pam_succeed_if(sshd:auth): error
> >> retrieving information about user testuser
> >> Jan 25 13:25:01 monarch sshd[3947]: Failed password for invalid user
> >> testuser from 192.168.0.1 port 1142 ssh2
> >>
> >> I followed the instructions here :
> >> http://directory.fedoraproject.org/wiki/Howto:Kerberos
> >>
> >> Maybe I just didn't get it
> >>
> >> Thanks in advance,
> >>
> >> Peter
> >> _______________________________________________
> >> CentOS mailing list
> >> CentOS at centos.org
> >> http://lists.centos.org/mailman/listinfo/centos
>
> >My setup is a tad different than yours in that I integrated MIT Kerberos
> with OpenLDAP. While our configurations are different I'm sure >you're
> trying for kerberized logins (System authenticates against Kerberos and
> pulls account information from LDAP). If so here are >some items you may
> want to verify you have included in your system-auth config file.
>
> >Auth sufficient pam_krb5.so use_first_pass
> >Auth sufficient pam_unix.so nullok try_first_pass
>
> >Account sufficient pam_ldap.so
> >Account required pam_unix.so
>
> >Password sufficient pam_krb5.so
> >Password sufficient pam_unix.so sha512 shadow nullok try_first_pass
> use_authok
>
> >Session optional pam_keyinit.so revoke
> >Session optional pam_krb5.so
>
> >Dan
>
> Just to see if I understood it correctly :
> It is mandatory that every LDAP-User has a functional Kerberos-login (user
> and PW). Is it possible for such a user to access a server that only has
> ldap for authentication and checks against the LDAP-Server ?
>
> About testing : How can I check if the information is pulled out of ldap ?
>
> Thanks in advance
>
> Peter
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

If you are utilizing Kerberos on the authentication part of the process then you need the user to exist in LDAP also as Kerberos cannot hold Unix account information (UID #, GID#, etc). I'm not too certain on where Directory Server stores its log files but you should be able to check there for lookups for "username" around the time of attempted login.

Dan
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 02:26 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org