On 03/27/2014 04:47 PM, John Obaterspok wrote:
2014-03-23 19:45 GMT-04:00 Dmitri Pal<d...@redhat.com>
2014-03-23 9:01 GMT+01:00 John Obaterspok<john.obaters...@gmail.com>:
Hello,
How do I get vsftpd login to work with an existing ticket?
I've added ftp as an identity service (ftp/ipaserver.my....@my.lan)
Is there anything else I need to do to allow ftp login to vsftpd?
What ftp client and server are you using?
Do you know whether they are actually supporting Kerberos?
May be consider other tools like scp instead?
I'm using vsftpd with default settings in Fedora 20 + ftp client from
krb5-appl-clients. vsftpd is linked to pam, gssapi_krb5, and more.
/etc/pam.d/vsftpd looks like this:
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth
Perhaps I need to change something in the pam file in order to allow sso?
-- john
If you want SSO the ftp server should be configured to use GSSAPI and
not use PAM (or fail over to PAM if client does not have a ticket). A
search of the man pages for vsftpd did not render such option. I suspect
it is either undocumented or some other Kerberos enables ftp server
needs to be used.
Does krb-appl package provide one?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users