Davor Ocelic <[EMAIL PROTECTED]> wrote: > On Sat, Jan 13, 2007 at 04:32:28PM -0600, Christopher D. Clausen > wrote: >> Wait, what? Why do users need keytabs? You probably do want to use >> pam_krb5 for sudo, if needed. If users need to fix daemons, they >> should already have read access to keytabs for their own daemons and >> they should be able to kinit -kt /path/to/keytab >> [EMAIL PROTECTED] > > Erm, sure. I had some different film going on im my mind. You're > right. We do use pam_krb5 for sudo and it works, there's just one > problem though: > > docelic_admin# sudo su - docelic > Access denied for this host > su: Permission denied > (Ignored) > No directory, logging in with HOME=/ > [EMAIL PROTECTED]:/$
Why aren't you using sudo -s ? Or su-ing directly to the user account you want? And the likely problem is that you need to remove the pam_openafs_session from working at all with sudo and su. Its causing issues with AFS tokens. > So, as seen, first problem is that pam's check_host_attr = yes > is getting in the way and not allowing login. (I need to see what > hostname is being used that it fails). (The other problem is that > PAM lets it through in spite of the error message, but this is a known > pam_ldap bug and is fixed in newer versions). > > The other problem is that for the target user, the krb ticket is not > issued and no afs tokens can be obtained. Maybe this will all fix > itself after the problem nr. 1 is solved, as that will eliminate > the negative value in the pam module stack. I need to see more > about this. Well, does the target user actually have a Kerberos password? Is a local authentication method succeding first? I suspect that all the above problems are somehow related to PAM config. >> As to using some Apache auth module, you want to use the Debian >> libapache2-mod-authkerb package. You do NOT want a PAM based >> solution. I'd like to be able to forward Kerberos tickets from my >> workstation to the webserver to login without needing to type an >> additional password. This increases security b/c even root on the >> remote can't my Kerberos password through this method. >> Additionally, there is an apache module that uses AFS PTS groups for >> authorization: http://chu.in-chemnitz.de/download/ > > it would surely be better to do it the way you suggest, but > from reading the given URL (from the previous email I was replying to) > I got an impression that you wouldn't be able to connect if you > didn't have a kerberos-enabled client in some way. Is this true, > or you would just be assigned the default realm? Not true, you could simply type in a Kerberos password when prompted. (Of course, you'd only want to set this up over an SSL connection.) You would only be able to authenticate in the default realm though, but that likely won't be a problem for most people. <<CDC _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
