[KLUG Members] Kerberos

Green Proc greenproc at charter.net
Wed Sep 21 08:37:06 EDT 2005
Previous message: [KLUG Members] Kerberos
Next message: [KLUG Members] Kerberos
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jeremy Leonard wrote:
> Adam Tauno Williams wrote:
> 
>>>>>>> I'm trying to set up Kerberos Authentication for Apache2 on SLES9.
>>>>>>> I've been unable to find rpm's or successfully compile an auth
>>>>>>> mod for Apache2.
>>>>>>> I decided to use pam_auth_mod and configure pam to use kerberos.
>>>>>>> The problem I'm running into is this.
>>>>>>> When I log in to the system either using pam or via apache the
>>>>>>> request never gets sent to the Kerberos server unless there is an
>>>>>>> existing local account in passwd. Then even if there is a local
>>>>>>> account kerberos auth still fails.
>>>>>>
>>>>>>
>>>>>> What are you using for NSS?
>>>>>
>>>>>
>>>> Kerberos is an authorization/authentication system; it is not a name
>>>> service.  It must be used in conjunction with a name service - so you
>>>> can setup LDAP or <trembles/> NIS.
>>>
>>>
>>> I don't have the option for either. This is a college that's part of
>>> a larger university.
>>> The university runs a kerberos server with all the faculty and
>>> students. Over 100,000 users.
>>> They don't offer LDAP or NIS. Only Kerberos.
>>
>>
>>
>> Really?  I'd double check as it is VERY VERY hard to imagine a network of
>> 100,000 users without an operational name service (I mean - how would
>> anything
>> work?  Perhaps they use Active Dirctory?  An NT domain?  Both of these
>> provide
>> a name service.)
>>
>>> What I'm really looking for is web auth. I only started looking at
>>> pam because SLES9 doesn't come with mod_kerb and I couldn't find a
>>> suitable RPM for it. Meaning one that works.
>>
>>
>>
>> Ah,  without a name service I think you are out of luck as far as PAM
>> goes - at
>> least without using some spooky incantations that are going to make
>> your system
>> impossible to maintain.  You should be able to make mod_kerb work, 
>> but probably
>> not anything PAM related.
>>
>> Aside:  I'm not sure how PAM auth works via Apache, but if you can
>> specify a PAM
>> service name and make a separate PAM stack with only an authenticate
>> line and no
>> session or account entries.... MAYBE that would work?
>>
> I've given up on using PAM. I got it to perform the kerberos query but
> pam returns un-authenticated.
> 
> I'm now trying to compile mod_auth_krb5 for apache2.
> 
> Here is what I'm getting:
> 
> When I run ./configure I get this:
> 
> checking for gcc... gcc
> checking for C compiler default output... a.out
> checking whether the C compiler works... yes
> checking whether we are cross compiling... no
> checking for suffix of executables...
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ANSI C... none needed
> checking whether make sets $(MAKE)... yes
> checking for main in -lresolv... yes
> checking how to run the C preprocessor... gcc -E
> checking for egrep... grep -E
> checking for ANSI C header files... yes
> checking for sys/types.h... yes
> checking for sys/stat.h... yes
> checking for stdlib.h... yes
> checking for string.h... yes
> checking for memory.h... yes
> checking for strings.h... yes
> checking for inttypes.h... yes
> checking for stdint.h... yes
> checking for unistd.h... yes
> checking limits.h usability... yes
> checking limits.h presence... yes
> checking for limits.h... yes
> checking netdb.h usability... yes
> checking netdb.h presence... yes
> checking for netdb.h... yes
> checking stddef.h usability... yes
> checking stddef.h presence... yes
> checking for stddef.h... yes
> checking for stdlib.h... (cached) yes
> checking for string.h... (cached) yes
> checking for unistd.h... (cached) yes
> checking for size_t... yes
> checking whether struct tm is in sys/time.h or time.h... time.h
> checking gssapi.h usability... yes
> checking gssapi.h presence... yes
> checking for gssapi.h... yes
> checking for krb5_init_context in -lkrb5... no
> checking for krb5_init_context in -lkrb5... (cached) no
> checking for krb5_init_context in -lkrb5... (cached) no


> checking for Kerberos4 installation... no
> configure: error: No Kerberos enviroment found

It looks like you need the kerberos development libraries.  You're on
Suse9.3, correct?  I don't know which yast package name you need to
install, but on Debian it's libkrb5-dev.  You should be able to find it
in Yast searching for things like kerberos, kerberos-devel, and such.
But I'm pretty sure that your configure script is telling you it cannot
find the kerberos development libraries necessarry to compile the
kerberos module for apache.  In your case you would need krb4, not 5 as
I quoted above.  Hope that works :)


> 
> config.log:
> ---------snipit-------------
> configure:3306: checking for krb5_init_context in -lkrb5
> configure:3337: gcc -o conftest -g -O2   conftest.c -lkrb5   -L/usr/lib
> -lgssapi -lkrb5 -lasn1 -lcrypto -lroken -lcrypt -lresolv -lresolv >&5
> /usr/lib/gcc-lib/i586-suse-linux/3.3.3/../../../../i586-suse-linux/bin/ld:
> cannot find -lcrypto
> collect2: ld returned 1 exit status
> configure:3340: $? = 1
> ---------end snipit-------------
> 
> 
> I can't seem to get beyond this.
> _______________________________________________
> Members mailing list
> Members at kalamazoolinux.org
> 
>
Previous message: [KLUG Members] Kerberos
Next message: [KLUG Members] Kerberos
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Members mailing list