[KLUG Members] Kerberos

[Jeremy Leonard]

Adam Tauno Williams wrote:

>>>>I'm trying to set up Kerberos Authentication for Apache2 on SLES9.
>>>>I've been unable to find rpm's or successfully compile an auth mod for 
>>>>Apache2.
>>>>I decided to use pam_auth_mod and configure pam to use kerberos.
>>>>The problem I'm running into is this.
>>>>When I log in to the system either using pam or via apache the request 
>>>>never gets sent to the Kerberos server unless there is an existing local 
>>>>account in passwd. Then even if there is a local account kerberos auth 
>>>>still fails.
>>>>        
>>>>
>>>What are you using for NSS?
>>>      
>>>
>
>Kerberos is an authorization/authentication system; it is not a name
>service.  It must be used in conjunction with a name service - so you
>can setup LDAP or <trembles/> NIS.
>  
>
I don't have the option for either. This is a college that's part of a 
larger university.
The university runs a kerberos server with all the faculty and students. 
Over 100,000 users.
They don't offer LDAP or NIS. Only Kerberos.

What I'm really looking for is web auth. I only started looking at pam 
because SLES9 doesn't come with mod_kerb and I couldn't find a suitable 
RPM for it. Meaning one that works.

They used to use open_afs for this but over the summer the university 
switched to Kerberos5.

Any pointers?

Thanks for the help.

>>nssswitch.conf:
>>passwd: compat
>>group:  compat
>>    
>>
>
>There you go - there is no name service.
>
>  
>
>>I can't su to the user because I can't auth as the use.
>>    
>>
>
>Because there is no name service to provide getpwent for the user.
>
>  
>
>>I 'kinit username'
>>It asks for a password and accepts the correct password.
>>    
>>
>
>Sure, because Kerberos doesn't need the account info - it just wants you
>to prove the identity that you claim to be.  The Operating System
>however needs the account information.
>  
>