Using krb5 to authenticate users
Greetings,
Our uni network uses afs and krb5 for "one-source" userids and home
directories, and I'm trying to get a new powerpc/woody box to use this.
OpenAFS is working fine, and if you klog as a user the kerberos servers
know you get the right AFS perms. However, I can't get login or ssh to
use it for user authentication. Here's what I have:
- installed libkrb53, krb5-clients, krb5-config, krb5-doc, krb5-user,
libpam-krb5
- Used adduser to create /etc/passwd, /etc/shadow entries for user,
edited /etc/passwd to match uid
- "borrowed" krb5.conf from other box on network (tried several --
Solaris, RH Linux, IRIX, "generic" provided by admins)
- put lines in /etc/pam.d/login and /etc/pam.d/ssh
Now I can log in as root or using a "local" username, but if I use a
kerberos username I just get "permission denied" via ssh or "login
incorrect" via local login.
My /etc/pam.d/ssh is:
==
#%PAM-1.0
#session optional /lib/security/pam_openafs_session.so
auth sufficient pam_krb5.so.1 try_first_pass
auth required pam_nologin.so
auth required pam_unix.so
auth required pam_env.so # [1]
account sufficient pam_krb5.so.1 try_first_pass
account required pam_unix.so
session sufficient pam_krb5.so.1 try_first_pass
session required pam_unix.so
session optional pam_lastlog.so # [1]
#session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
password sufficient pam_krb5.so.1 try_first_pass
password required pam_unix.so
==
My /etc/pam.d/login has the same pam_krb5.so.1 entries.
It appears that no one here knows Debian, and the RH-specific help isn't
much use to me.
I have been unable to find any documentation or HOWTO on setting up
simple krb5-based authentication on a Debian box, something like "you
need these packages, make these changes to the following conf files, add
users like this". Does such a thing exist? (I tried #debian a few
times to no avail.)
Any pointers to documentation or suggestions on how to troubleshoot will
be much appreciated.
Please CC me as I am not subscribed.
Many thanks,
--
Thanasis Kinias
Web Developer, Information Technology
Graduate Student, Department of History
Arizona State University
Tempe, Arizona, U.S.A.
Ash nazg durbatulûk, ash nazg gimbatul,
Ash nazg thrakatulûk agh burzum-ishi krimpatul
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: