[KLUG Members] Kerberos

[Adam Tauno Williams]

>>>>> I'm trying to set up Kerberos Authentication for Apache2 on SLES9.
>>>>> I've been unable to find rpm's or successfully compile an auth 
>>>>> mod for Apache2.
>>>>> I decided to use pam_auth_mod and configure pam to use kerberos.
>>>>> The problem I'm running into is this.
>>>>> When I log in to the system either using pam or via apache the 
>>>>> request never gets sent to the Kerberos server unless there is an 
>>>>> existing local account in passwd. Then even if there is a local 
>>>>> account kerberos auth still fails.
>>>> What are you using for NSS?
>> Kerberos is an authorization/authentication system; it is not a name
>> service.  It must be used in conjunction with a name service - so you
>> can setup LDAP or <trembles/> NIS.
> I don't have the option for either. This is a college that's part of 
> a larger university.
> The university runs a kerberos server with all the faculty and 
> students. Over 100,000 users.
> They don't offer LDAP or NIS. Only Kerberos.

Really?  I'd double check as it is VERY VERY hard to imagine a network of
100,000 users without an operational name service (I mean - how would anything
work?  Perhaps they use Active Dirctory?  An NT domain?  Both of these provide
a name service.)

> What I'm really looking for is web auth. I only started looking at 
> pam because SLES9 doesn't come with mod_kerb and I couldn't find a 
> suitable RPM for it. Meaning one that works.

Ah,  without a name service I think you are out of luck as far as PAM 
goes - at
least without using some spooky incantations that are going to make 
your system
impossible to maintain.  You should be able to make mod_kerb work,  but 
probably
not anything PAM related.

Aside:  I'm not sure how PAM auth works via Apache, but if you can 
specify a PAM
service name and make a separate PAM stack with only an authenticate 
line and no
session or account entries.... MAYBE that would work?

-- 
Adam Tauno Williams - http://www.whitemice.org