FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 08-17-2010, 08:51 AM
Christoph Höger
 
Default SSSD and Kerberos tickets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I'd like to get a kerberos ticket everytime I login to my f13 box, and
run aklog afterwards automagically. The second part can be handled with
kstart, but how do I get the first part with the new authconfig/sssd
tools done? To make things a little bit more difficult: I have a local
username that's different from my kerberos user name.

Any ideas?

Christoph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxqTXcACgkQhMBO4cVSGS//qACdGYMIKPabTiFeZ3ID4UkFbNRm
LlEAoIKaYfwpE/rdDwKiG7EvqLafrcvK
=ur4y
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-17-2010, 01:45 PM
Stephen Gallagher
 
Default SSSD and Kerberos tickets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/17/2010 04:51 AM, Christoph Höger wrote:
> Hi all,
>
> I'd like to get a kerberos ticket everytime I login to my f13 box, and
> run aklog afterwards automagically. The second part can be handled with
> kstart, but how do I get the first part with the new authconfig/sssd
> tools done? To make things a little bit more difficult: I have a local
> username that's different from my kerberos user name.
>
> Any ideas?
>
> Christoph


The easiest way is to not use a separate local username. With SSSD, it
can cache the credentials so you can still log on with your kerberos
password when you're not connected to the network.

So if you set up your user account to log in with SSSD's kerberos, it
will automatically get you a TGT during login (or, if you log in
offline, it can be configured to automatically get the TGT once you go
online, such as connecting to a VPN).

Of course, the catch here is that your kerberos user needs to be linked
to a user account on a centrally-managed database, ideally LDAP.

- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxqknUACgkQeiVVYja6o6OWjACfQJPWpoJO4A UsydY0Bs/D2ecg
Sm4AnjBjlqBHWk0qWl97UhpI3I+jz6Jm
=Li1F
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-17-2010, 07:25 PM
Christoph Höger
 
Default SSSD and Kerberos tickets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 17.08.2010 15:45, schrieb Stephen Gallagher:
> On 08/17/2010 04:51 AM, Christoph Höger wrote:
>> Hi all,
>
>> I'd like to get a kerberos ticket everytime I login to my f13 box, and
>> run aklog afterwards automagically. The second part can be handled with
>> kstart, but how do I get the first part with the new authconfig/sssd
>> tools done? To make things a little bit more difficult: I have a local
>> username that's different from my kerberos user name.
>
>> Any ideas?
>
>> Christoph
>
>
> The easiest way is to not use a separate local username. With SSSD, it
> can cache the credentials so you can still log on with your kerberos
> password when you're not connected to the network.
>
> So if you set up your user account to log in with SSSD's kerberos, it
> will automatically get you a TGT during login (or, if you log in
> offline, it can be configured to automatically get the TGT once you go
> online, such as connecting to a VPN).
>
> Of course, the catch here is that your kerberos user needs to be linked
> to a user account on a centrally-managed database, ideally LDAP.

Ok, since my university does not give me any infos about that LDAP (and
I do not want to rely on their IT for logging in locally), is there no
other solution to simply run kstart from pam and querying for the ticket
password at startup with sssd?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxqvBYACgkQhMBO4cVSGS8aiACdF9uJktv77z 9qFIT8tFGAjM11
nj0An2PjtMegqaMksigj4E1c1Dib3Oof
=tH/Z
-----END PGP SIGNATURE-----

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-17-2010, 07:59 PM
Stephen Gallagher
 
Default SSSD and Kerberos tickets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/17/2010 03:25 PM, Christoph Höger wrote:
> Am 17.08.2010 15:45, schrieb Stephen Gallagher:
>> On 08/17/2010 04:51 AM, Christoph Höger wrote:
>>> Hi all,
>
>>> I'd like to get a kerberos ticket everytime I login to my f13 box, and
>>> run aklog afterwards automagically. The second part can be handled with
>>> kstart, but how do I get the first part with the new authconfig/sssd
>>> tools done? To make things a little bit more difficult: I have a local
>>> username that's different from my kerberos user name.
>
>>> Any ideas?
>
>>> Christoph
>
>
>> The easiest way is to not use a separate local username. With SSSD, it
>> can cache the credentials so you can still log on with your kerberos
>> password when you're not connected to the network.
>
>> So if you set up your user account to log in with SSSD's kerberos, it
>> will automatically get you a TGT during login (or, if you log in
>> offline, it can be configured to automatically get the TGT once you go
>> online, such as connecting to a VPN).
>
>> Of course, the catch here is that your kerberos user needs to be linked
>> to a user account on a centrally-managed database, ideally LDAP.
>
> Ok, since my university does not give me any infos about that LDAP (and
> I do not want to rely on their IT for logging in locally), is there no
> other solution to simply run kstart from pam and querying for the ticket
> password at startup with sssd?

SSSD isn't going to help you in this case. What you probably just want
to do is write a script to include in your .bash_profile script so that
when you log in, your shell calls "cat /path/to/mysecretpassword.txt
|kinit" when you log in.



- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxq6hMACgkQeiVVYja6o6OgggCfRzmgyhu1d8 1f3B2Tzm3RFSmx
xKgAn1rWzTlyx2re7OuH02eyzDDvoOGf
=q/tn
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-17-2010, 08:23 PM
Christoph Höger
 
Default SSSD and Kerberos tickets

> > Ok, since my university does not give me any infos about that LDAP (and
> > I do not want to rely on their IT for logging in locally), is there no
> > other solution to simply run kstart from pam and querying for the ticket
> > password at startup with sssd?
>
> SSSD isn't going to help you in this case. What you probably just want
> to do is write a script to include in your .bash_profile script so that
> when you log in, your shell calls "cat /path/to/mysecretpassword.txt
> |kinit" when you log in.

Hnn. Does not sound like what I want. I know that this "grep a ticket
upon login" semantic can be added to pam, does sssd interfere somehow,
or can I just apply $RANDOM_TUTORIAL?

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-17-2010, 08:28 PM
Stephen Gallagher
 
Default SSSD and Kerberos tickets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/17/2010 04:23 PM, Christoph Höger wrote:
>
>>> Ok, since my university does not give me any infos about that LDAP (and
>>> I do not want to rely on their IT for logging in locally), is there no
>>> other solution to simply run kstart from pam and querying for the ticket
>>> password at startup with sssd?
>>
>> SSSD isn't going to help you in this case. What you probably just want
>> to do is write a script to include in your .bash_profile script so that
>> when you log in, your shell calls "cat /path/to/mysecretpassword.txt
>> |kinit" when you log in.
>
> Hnn. Does not sound like what I want. I know that this "grep a ticket
> upon login" semantic can be added to pam, does sssd interfere somehow,
> or can I just apply $RANDOM_TUTORIAL?
>
>

Please rephrase your question. I have no idea what exactly you're trying
to accomplish.

If you had access to the school's LDAP setup (and I suspect they'd tell
you if you asked) SSSD does what you're looking for internally.

But if I'm understanding you right, you want to just use a local login
and do a kinit (I don't know what 'kstart' means) when you log in.

- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxq8NwACgkQeiVVYja6o6PPTgCgm6vyZXoq4I kF94lchs8pOoqT
dZ8AoKebUl1qCLTzEiVJHdCSho8Lh68n
=a3Nt
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-17-2010, 09:02 PM
Christoph Höger
 
Default SSSD and Kerberos tickets

> If you had access to the school's LDAP setup (and I suspect they'd tell
> you if you asked) SSSD does what you're looking for internally.

Neither do I have access to that LDAP (though it might be technically
possible to connect to it, this is just not a supported use case) nor do
I want to rely on the it infrastructure of my university for my
workstation.

> But if I'm understanding you right, you want to just use a local login
> and do a kinit (I don't know what 'kstart' means) when you log in.

This is exactly what I want. It seems like pam usually can do this:

http://techpubs.spinlocksolutions.com/dklar/kerberos.html#id2503053

But since fedora ships with a custom /etc/pam.d layout due to sssd
(which, as we discussed, cannot handle that use case), I'd like to know,
if I still (meaning with sssd in place) can apply the above mentioned
method.

Btw: kstart is a kinit replacement that allows running arbitrary
commands after getting tickets.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-18-2010, 12:58 PM
Stephen Gallagher
 
Default SSSD and Kerberos tickets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/17/2010 05:02 PM, Christoph Höger wrote:
>
>> If you had access to the school's LDAP setup (and I suspect they'd tell
>> you if you asked) SSSD does what you're looking for internally.
>
> Neither do I have access to that LDAP (though it might be technically
> possible to connect to it, this is just not a supported use case) nor do
> I want to rely on the it infrastructure of my university for my
> workstation.
>
>> But if I'm understanding you right, you want to just use a local login
>> and do a kinit (I don't know what 'kstart' means) when you log in.
>
> This is exactly what I want. It seems like pam usually can do this:
>
> http://techpubs.spinlocksolutions.com/dklar/kerberos.html#id2503053
>
> But since fedora ships with a custom /etc/pam.d layout due to sssd
> (which, as we discussed, cannot handle that use case), I'd like to know,
> if I still (meaning with sssd in place) can apply the above mentioned
> method.
>
> Btw: kstart is a kinit replacement that allows running arbitrary
> commands after getting tickets.
>
>


What makes you think that SSSD would prevent this? That PAM
configuration has nothing to do with whether you can kinit after login.

That configuration in the link you specified does EXACTLY the same thing
that SSSD does: if you log in with a username that Kerberos understands,
you immediately get a ticket. If you don't (i.e. you log in with a local
account), then you can still do 'kinit', which has nothing to do with PAM.

All you need to have set up for kinit is /etc/krb5.conf



- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxr2REACgkQeiVVYja6o6OnIgCfT6Pva3mq7p W4JCgZZXOvzCqM
B74AnA68Gm/eW0IF27CXBMtIbevaPnAW
=KLlG
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 08:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org