[KLUG Members] Kerberos
Jeremy Leonard
lists at elite4god.com
Wed Sep 21 07:31:36 EDT 2005
Adam Tauno Williams wrote:
>>>>I'm trying to set up Kerberos Authentication for Apache2 on SLES9.
>>>>I've been unable to find rpm's or successfully compile an auth mod for
>>>>Apache2.
>>>>I decided to use pam_auth_mod and configure pam to use kerberos.
>>>>The problem I'm running into is this.
>>>>When I log in to the system either using pam or via apache the request
>>>>never gets sent to the Kerberos server unless there is an existing local
>>>>account in passwd. Then even if there is a local account kerberos auth
>>>>still fails.
>>>>
>>>>
>>>What are you using for NSS?
>>>
>>>
>
>Kerberos is an authorization/authentication system; it is not a name
>service. It must be used in conjunction with a name service - so you
>can setup LDAP or <trembles/> NIS.
>
>
I don't have the option for either. This is a college that's part of a
larger university.
The university runs a kerberos server with all the faculty and students.
Over 100,000 users.
They don't offer LDAP or NIS. Only Kerberos.
What I'm really looking for is web auth. I only started looking at pam
because SLES9 doesn't come with mod_kerb and I couldn't find a suitable
RPM for it. Meaning one that works.
They used to use open_afs for this but over the summer the university
switched to Kerberos5.
Any pointers?
Thanks for the help.
>>nssswitch.conf:
>>passwd: compat
>>group: compat
>>
>>
>
>There you go - there is no name service.
>
>
>
>>I can't su to the user because I can't auth as the use.
>>
>>
>
>Because there is no name service to provide getpwent for the user.
>
>
>
>>I 'kinit username'
>>It asks for a password and accepts the correct password.
>>
>>
>
>Sure, because Kerberos doesn't need the account info - it just wants you
>to prove the identity that you claim to be. The Operating System
>however needs the account information.
>
>
More information about the Members
mailing list