Using krb5 to authenticate users

To: debian-user@lists.debian.org
Subject: Using krb5 to authenticate users
From: Thanasis Kinias <tkinias@optimalco.com>
Date: Mon, 1 Jul 2002 10:52:28 -0700
Message-id: <[🔎] 20020701105228.A31797@glaux.ph.cox.net>

Greetings,

Our uni network uses afs and krb5 for "one-source" userids and home
directories, and I'm trying to get a new powerpc/woody box to use this.
OpenAFS is working fine, and if you klog as a user the kerberos servers
know you get the right AFS perms.  However, I can't get login or ssh to
use it for user authentication.  Here's what I have:

- installed libkrb53, krb5-clients, krb5-config, krb5-doc, krb5-user,
  libpam-krb5

- Used adduser to create /etc/passwd, /etc/shadow entries for user,
  edited /etc/passwd to match uid

- "borrowed" krb5.conf from other box on network (tried several --
  Solaris, RH Linux, IRIX, "generic" provided by admins)

- put lines in /etc/pam.d/login and /etc/pam.d/ssh

Now I can log in as root or using a "local" username, but if I use a
kerberos username I just get "permission denied" via ssh or "login
incorrect" via local login.

My /etc/pam.d/ssh is:

==

#%PAM-1.0

#session optional /lib/security/pam_openafs_session.so

auth       sufficient   pam_krb5.so.1 try_first_pass
auth       required     pam_nologin.so
auth       required     pam_unix.so
auth       required     pam_env.so # [1]

account    sufficient   pam_krb5.so.1 try_first_pass
account    required     pam_unix.so

session    sufficient   pam_krb5.so.1 try_first_pass
session    required     pam_unix.so
session    optional     pam_lastlog.so # [1]
#session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so

password   sufficient   pam_krb5.so.1 try_first_pass
password   required     pam_unix.so

==

My /etc/pam.d/login has the same pam_krb5.so.1 entries.

It appears that no one here knows Debian, and the RH-specific help isn't
much use to me.

I have been unable to find any documentation or HOWTO on setting up
simple krb5-based authentication on a Debian box, something like "you
need these packages, make these changes to the following conf files, add
users like this".  Does such a thing exist?  (I tried #debian a few
times to no avail.)

Any pointers to documentation or suggestions on how to troubleshoot will
be much appreciated.

Please CC me as I am not subscribed.

Many thanks,
-- 
Thanasis Kinias
Web Developer, Information Technology
Graduate Student, Department of History
Arizona State University
Tempe, Arizona, U.S.A.

Ash nazg durbatulûk, ash nazg gimbatul,
Ash nazg thrakatulûk agh burzum-ishi krimpatul


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Prev by Date: Re: What pkgs need to be installed to use "make html_docs"?
Next by Date: Re: please kindly get back to me
Previous by thread: Re: resolv.conf overwritten with latest wvdial/pppd
Next by thread: Re: upgrading from Potato to Woody, was Glib Question
Index(es):
- Date
- Thread