[30389] in Kerberos
Re: Kerberos and LDAP
daemon@ATHENA.MIT.EDU (Davor Ocelic)
Thu Oct 30 09:42:50 2008
Date: Thu, 30 Oct 2008 14:41:54 +0100
From: Davor Ocelic <docelic@mail.inet.hr>
To: kerberos@mit.edu
Message-ID: <20081030144154.6074262f@handgun.spinlock.hr>
In-Reply-To: <1225371905.6996.31.camel@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, 30 Oct 2008 14:05:05 +0100
Ronni Feldt <rofe@one.com> wrote:
> Hi,
>
> It worked!
>
> I tried 'id ronni' which did not work.
> Then I stopped nscd and success! I am now able to login using the user
> in LDAP.
Nscd is a caching daemon; so after it caches information about
'ronni' not existing, it will not figure out you added it until
you run nscd -i passwd or restart it.
> Now, I have read a lot, and seems to have lost the complete overview
> of how it all works together. Can someone explain to me, just in a
> superficial way, how it fits together or point me to a link?
There's nothing special really. NSS is used to get user metadata
(username, id, gid, homedir, shell, etc..), and PAM is used to perform
the actual verification of user credentials (login allowed or not).
And nscd is there just to cache NSS results so that the remote lookup
is not performed all the time.
> My next step is to get Kerberos working with SSH, as I understand it,
> I have to configure SSH to use Kerberos to authenticate the user by
> forwarding my local Kerberos key; is that correct?
Getting ssh work with kerberos is 2 or 3 lines...
sshd_config file something like:
KerberosAuthentication yes
GSSAPIAuthentication yes
UsePAM yes
And ssh_config (client) file something like:
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
-doc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
