Proper use of pam_krb5 within system-auth to achieve SSO

Kizerian, Michael Michael.Kizerian at usaa.com
Wed Nov 3 16:06:19 UTC 2004 

Running FC2
*	kernel 2.6.5-1.358
*	krb5-workstation/libs/devel-1.3.3-1
*	pam-krb5-2.0.10-1
*	pam-0.77-40
*	samba-3.0.3-5
*	samba-common-3.0.3-5
*	samba-client-3.0.3-5
*	pam_smb-1.1.7-3.1


I would like to achieve a single-sign on, authenticating against AD (Win
Server 2003) and retrieving a Kerberos ticket, and pulling down user
groups.  I have the proper config files(Kerberos & Samba), but the error
seems to be in my system-auth module.  

The login bombs in 2 places on the Linux side
1.	After entering username
a.	pam_krb5: error resolving user name 'superman' to uid/gid pair
b.	pam_krb5: error getting information about 'superman'
2.	After entering password
a.	gdm-binary: Couldn't set acct. mgmt. for superman

On the Win2003 side, superman does authenticate via winbind, but there
exists no log showing a Kerberos request.

Also: I can retrieve tickets using kinit and superman/password
        getent passwd/group retrieves the users and groups on the AD
server
        wbinfo -u/-g retrieves the AD groups

Any ideas?

I appreciate any help/direction,

Mike Kizerian
michael.kizerian at usaa.com <mailto:michael.kizerian at usaa.com> 
mike.kizerian at sbcglobal.net

Here is my pam.d/system-auth file:
*This is a mixture of what the authentication applet creates and
suggestions I've found online.  Some of those suggestions have stated
that the login modules needs to manipulated, but since it calls the
system-auth module, I don't see why it would be necessary, if it is
please explain.
/etc/pam.d/system-auth
auth required pam_env.so
auth required pam_krb5.so
auth required pam_winbind.so use_first_pass
auth required pam_unix.so use_first_pass likeauth nullok
auth required pam_deny.so

account required pam_krb5.so
account required pam_winbind.so
account required pam_unix.so

password required pam_cracklib.so retry=3 type=
password sufficient pam_unix.so nullok use_authok md5 shadow
password sufficient pam_krb5.so use_authok
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so
sessions sufficient pam_krb5.so



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20041103/cfecd7e9/attachment-0002.html

More information about the users mailing list