[19248] in Kerberos
Re: Kerberos-Gssapi-ldap-pam interaction
daemon@ATHENA.MIT.EDU (Turbo Fredriksson)
Wed May 14 13:20:09 2003
To: kerberos@mit.edu
From: Turbo Fredriksson <turbo@bayour.com>
Date: 14 May 2003 19:18:44 +0200
In-Reply-To: <slrnbc4m4u.325.walter+SP@droopy.sun.efrei.fr>
Message-ID: <87y919e9aj.fsf@papadoc.bayour.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Errors-To: kerberos-bounces@mit.edu
>>>>> "Jerome" == Jerome Walter <walter+SP@M.efrei.fr> writes:
Jerome> Dans l'article <877k8tfzjb.fsf@papadoc.bayour.com>, Turbo
Jerome> Fredriksson a écrit :
>>>>>>> "Jerome" == Jerome Walter <walter+SP@M.efrei.fr> writes:
>> What is saying 'Insufficient credentials'? PAM/LDAP? Login?
Jerome> Mmmh, at login, PAM/LDAP i guess. It appears in the
Jerome> auth.log : May 14 16:39:23 veau login[735]: pam_ldap:
Jerome> error trying to bind (invalid credentials)
Did you allow anonymous read to the posixAccount attributes? Might
not be the best solution, but it beats having a DN/password in the
file system that can read it...
Jerome> Is there someone who have ever installed such a config ?
>> On a NUMBER of machines. Rocks MY world! :)
Jerome> I know that. Got your doc just next to the keyboard ;)
Jerome> There is a few things to change though.
Such as?
Jerome> Did you ever PAM to the LDAP to get accounting info ? It
Jerome> do not appears, just pam_krb5 which works great for me.
http://www.bayour.com/LDAPv3-HOWTO.html#5.3.1.Building%20and%20installation|outline
Jerome> My first thoughts where that it could come from
Jerome> supportedSASLmechanisms, which only returns GSSAPI and not
Jerome> plain, anonymous nor login...
I have ONLY GSSAPI enabled....
Jerome> Perhaps on the other hand i made an error configuring
Jerome> libnss-ldap, but i do not know how to test it.
Did you specify 'binddn' etc? You shouldn't (have to)... Mine looks like:
----- s n i p -----
uri ldaps://LDAPSERVER/
base dc=com
ldap_version 2
----- s n i p -----
That's IT!! And the LibPAM/LDAP config file looks like:
----- s n i p -----
uri ldaps://LDAPSERVER/
base dc=com
ldap_version 2
pam_crypt local
----- s n i p -----
Jerome> Finally, is there something special to do to make sudo and
Jerome> ssh not requiring entering the password again ?
Jerome> try_first_pass does not seem to work...
>> I don't care. I use 'ksu' instead :)
Jerome> Yep, but my administrator won't give the root password to
Jerome> the students who, like me, have some rights to rm, kill,
Jerome> renice or reboot some stations when needed (some other
Jerome> students do not use their unix account very properly ;)
You don't have to, that's the beauty! All you do is create the file
'/root/.k5login' with the principals that should have FULL access,
or '/root/.k5users' with principal and command. And you authenticate
with your own ticket!
man ksu
The files '/root/.k5{login,users}' would (closley, but with better
security) resemble and replace sudo.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
