What is the proper use of pam_krb5 in /etc/pam.d/system-auth for SSO?

Kizerian, Michael Michael.Kizerian at usaa.com
Wed Nov 3 18:25:47 UTC 2004 

Running FC2

*         kernel 2.6.5-1.358

*         krb5-workstation/libs/devel-1.3.3-1

*         pam-krb5-2.0.10-1

*         pam-0.77-40

*         samba-3.0.3-5

*         samba-common-3.0.3-5

*         samba-client-3.0.3-5

*         pam_smb-1.1.7-3.1

 

 

I would like to achieve a single-sign on, authenticating against AD (Win
Server 2003) and retrieving a Kerberos ticket, and pulling down user
groups.  I have the proper config files(Kerberos & Samba), but the error
seems to be in my system-auth module.  

 

The login bombs in 2 places on the Linux side

1.       After entering username

a.       pam_krb5: error resolving user name 'superman' to uid/gid pair

b.       pam_krb5: error getting information about 'superman'

2.       After entering password

a.       gdm-binary: Couldn't set acct. mgmt. for superman

 

On the Win2003 side, superman does authenticate via winbind, but there
exists no log showing a Kerberos request.

 

Also: I can retrieve tickets using kinit and superman/password

        getent passwd/group retrieves the users and groups on the AD
server

        wbinfo -u/-g retrieves the AD groups

 

Any ideas?

 

I appreciate any help/direction,

 

Mike Kizerian

michael.kizerian at usaa.com

mike.kizerian at sbcglobal.net

 

Here is my pam.d/system-auth file:

*This is a mixture of what the authentication applet creates and
suggestions I've found online.  Some of those suggestions have stated
that the login modules needs to manipulated, but since it calls the
system-auth module, I don't see why it would be necessary, if it is
please explain.

/etc/pam.d/system-auth

auth required pam_env.so

auth required pam_krb5.so

auth required pam_winbind.so use_first_pass

auth required pam_unix.so use_first_pass likeauth nullok

auth required pam_deny.so

 

account required pam_krb5.so

account required pam_winbind.so

account required pam_unix.so

 

password required pam_cracklib.so retry=3 type=

password sufficient pam_unix.so nullok use_authok md5 shadow

password sufficient pam_krb5.so use_authok

password required pam_deny.so

 

session required pam_limits.so

session required pam_unix.so

sessions sufficient pam_krb5.so

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20041103/a5c02f2f/attachment-0002.html

More information about the users mailing list