[KLUG Members] Kerberos

[Adam Tauno Williams]

> >>I'm trying to set up Kerberos Authentication for Apache2 on SLES9.
> >>I've been unable to find rpm's or successfully compile an auth mod for 
> >>Apache2.
> >>I decided to use pam_auth_mod and configure pam to use kerberos.
> >>The problem I'm running into is this.
> >>When I log in to the system either using pam or via apache the request 
> >>never gets sent to the Kerberos server unless there is an existing local 
> >>account in passwd. Then even if there is a local account kerberos auth 
> >>still fails.
> >What are you using for NSS?

Kerberos is an authorization/authentication system; it is not a name
service.  It must be used in conjunction with a name service - so you
can setup LDAP or <trembles/> NIS.

> nssswitch.conf:
> passwd: compat
> group:  compat

There you go - there is no name service.

> I can't su to the user because I can't auth as the use.

Because there is no name service to provide getpwent for the user.

> I 'kinit username'
> It asks for a password and accepts the correct password.

Sure, because Kerberos doesn't need the account info - it just wants you
to prove the identity that you claim to be.  The Operating System
however needs the account information.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20050920/90f39506/attachment.bin