Unix administration - Trouble authenticating with Kerberos & LDAP - (kerberos on w2k3 AD server, ldap on

This is Interesting: Free IT Magazines  
Home > Archive > Unix administration > October 2005 > Trouble authenticating with Kerberos & LDAP - (kerberos on w2k3 AD server, ldap on





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Trouble authenticating with Kerberos & LDAP - (kerberos on w2k3 AD server, ldap on
stevendavidruiz@gmail.com

2005-10-05, 9:04 pm

I've been very frustrated trying to get this to work. We are trying to
use a windows 2003 server as our Kerberos server, along with our
openldap on solaris as our directory server. The machines we want to
authenticate on are all Solaris 9.

The ldap tree is fully populated, and working properly. With our
current nsswitch.conf, logins work using the ldap directory (with
posixAccount & shadowAccount records), as does a getent passwd
<ldapusername>.
Also, we have our Windows 2003 server's directory setup with named
users, and with our current pam.conf, we can authenticate against
kerberos if we have a local passwd entry for that user. However, if we
remove the local passwd entry, I can't authenticate.

I've already added keytab entries for the ldap host, ldap server
(host/hostname & ldap/hostname), and the server I'm trying to login to.
I used FQDN's in all my ktpass.exe key generations, but I'm noticing
that most of our machines have short hostnames in their
/etc/hostname.intN files. DNS resolution does work and returns a
fqdn...

Any ideas what I'm doing wrong here? A tcpdump reveals that a failed
login attempt talks to both the ldap & kerberos servers, but doesn't
log me in. Below is my pam.conf.

thanks!
-Steve R.


# Authentication
#
# passwd command (explicit because of a different authentication
module)
#
passwd auth required pam_passwd_auth.so.1
#
# Default definition for Authentication management
# Used when service name is not explicitly mentioned for authentication
# management
#
other auth requisite pam_authtok_get.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_krb5.so.1 use_first_pass
#
# Account
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# See notes about pam_krb5 in "other" section below
cron account optional pam_krb5.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
# According to the pam_krb5 man page, this checks for password
expiration.
# I'm not sure this does anything since I've flagged it as optional.
# I'm not sure if I can make it required because of root.
other account optional pam_krb5.so.1
#
# Session
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other session optional pam_krb5.so.1
other session required pam_unix_session.so.1
#
# Password
#
# (Don't list pam_krb5 here, this section is only for root. Regular
# users must use the centralized department password changing
mechanism.)
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password
management
#
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1

Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com