btw, aht realm does openssh looksfor ssh/[EMAIL PROTECTED] ??
Le Vendredi 18 Mars 2005 14:25, Douglas E. Engert a �crit�: > Ethan Bearman wrote: > > You're right - it was right on the cutover - if I add enough groups to > > the account, I cannot login via ssh with it, nor can I use kinit. > > > > I have had success - finally - getting krb5-1.4 to compile. > > But does it run? Can you use the 1.4.0 kinit? I had some problems > with this in 11.0 > > > How do I > > get source code to compile a pam kerberos library based on kerberos > > 1.3.5 or later? > > If you only need the pam_krb5 for use with OpenSSH you may not need > the PAM at all. OpenSSH can accept Kerberos user and passwords or > can call PAM to do the same. So if you compile OpenSSH with > --with-kerberos5=<path> and set in the sshd_config file: > > PasswordAuthentication yes > KerberosAuthentication yes > KerberosOrLocalPasswd yes to accept both or no to accept only Kerberos > passwords usePAM no > > If you still need PAM we are using an old modified version from F. Cusack. > I had started looking at using the pam_krb5-1.3-rc7.tar.gz from RedHat. > (Drop me a private note if you need more on this.) > > One problenm with HP PAM is it does not support pem_env. > > > Thanks. > > > > At 12:51 PM 3/17/2005, you wrote: > >> Ethan Bearman wrote: > >>> At 07:14 AM 3/17/2005, you wrote: > >>>> Ethan Bearman wrote: > >>>>> I'm getting kerberos error 52 when I try to kinit from hp-ux (11.0 > >>>>> running on 9000 series system) to our Windows 2003 AD domain. It > >>>>> works for certain admin accounts that have few group memberships, > >>>>> but not for regular users. > >>>>> I understand this to be due to the large PAC headers Windows is > >>>>> using for authorization data, which causes Windows to use TCP > >>>>> rather than UDP. Apparently versions of MIT kerberos earlier than > >>>>> 1.3.1 do not support TCP. > >>> > >>> I've just run another test and discovered that I can successfully log > >>> into the host initially (via PAM kerberos library and SSH), and I > >>> don't get error 52. I've got a ticket in my cache and everything. > >>> Kerb error 52 only occurs if I'm using kinit from the shell. > >> > >> You could be right on the cut over point, and maybe addressless vs > >> with address > >> tickets keep the ticket just small enough. > >> > >> A way to see what is going on would be to do a network trace of the > >> traffic > >> to the host. Ethereal works well with Kerberos, and is claimed > >> to be available for HP, but I have not tried it on HP. > >> http://www.ethereal.com/download.html > >> > >>> How could this be? I believe the PAM kerberos library that HP > >>> supplies is based on Krb1.1, which I thought would not be able to > >>> communicate via TCP to our W2k3 KDC's. Does anyone know why this is > >>> working through PAM, and not at the shell? > >>> Our users are not going to need to do kinit at the shell, but I just > >>> wonder if ignorance is bliss, or if I'm going to encounter problems > >>> anyway with this configuration. > >>> Thanks. > >>> Ethan Bearman > >>> Systems Analyst > >>> USCard Operations > >>> University of Southern California > >>> 213.821.2287 > >>> 213.740.7253 Fax > >>> ________________________________________________ > >>> Kerberos mailing list [email protected] > >>> https://mailman.mit.edu/mailman/listinfo/kerberos > >> > >> -- > >> > >> Douglas E. Engert <[EMAIL PROTECTED]> > >> Argonne National Laboratory > >> 9700 South Cass Avenue > >> Argonne, Illinois 60439 > >> (630) 252-5444 > > > > Ethan Bearman > > Systems Analyst > > USCard Operations > > University of Southern California > > 213.821.2287 > > 213.740.7253 Fax > > > > ________________________________________________ > > Kerberos mailing list [email protected] > > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
