Luis Daniel Lucio Quiroz wrote:
btw, aht realm does openssh looksfor
ssh/[EMAIL PROTECTED]
No host/[EMAIL PROTECTED]
??
Le Vendredi 18 Mars 2005 14:25, Douglas E. Engert a �crit :
Ethan Bearman wrote:
You're right - it was right on the cutover - if I add enough groups to the account, I cannot login via ssh with it, nor can I use kinit.
I have had success - finally - getting krb5-1.4 to compile.
But does it run? Can you use the 1.4.0 kinit? I had some problems with this in 11.0
How do I get source code to compile a pam kerberos library based on kerberos 1.3.5 or later?
If you only need the pam_krb5 for use with OpenSSH you may not need the PAM at all. OpenSSH can accept Kerberos user and passwords or can call PAM to do the same. So if you compile OpenSSH with --with-kerberos5=<path> and set in the sshd_config file:
PasswordAuthentication yes KerberosAuthentication yes KerberosOrLocalPasswd yes to accept both or no to accept only Kerberos passwords usePAM no
If you still need PAM we are using an old modified version from F. Cusack. I had started looking at using the pam_krb5-1.3-rc7.tar.gz from RedHat. (Drop me a private note if you need more on this.)
One problenm with HP PAM is it does not support pem_env.
Thanks.
At 12:51 PM 3/17/2005, you wrote:
Ethan Bearman wrote:
At 07:14 AM 3/17/2005, you wrote:
Ethan Bearman wrote:
I'm getting kerberos error 52 when I try to kinit from hp-ux (11.0 running on 9000 series system) to our Windows 2003 AD domain. It works for certain admin accounts that have few group memberships, but not for regular users. I understand this to be due to the large PAC headers Windows is using for authorization data, which causes Windows to use TCP rather than UDP. Apparently versions of MIT kerberos earlier than 1.3.1 do not support TCP.
I've just run another test and discovered that I can successfully log into the host initially (via PAM kerberos library and SSH), and I don't get error 52. I've got a ticket in my cache and everything. Kerb error 52 only occurs if I'm using kinit from the shell.
You could be right on the cut over point, and maybe addressless vs with address tickets keep the ticket just small enough.
A way to see what is going on would be to do a network trace of the traffic to the host. Ethereal works well with Kerberos, and is claimed to be available for HP, but I have not tried it on HP. http://www.ethereal.com/download.html
How could this be? I believe the PAM kerberos library that HP supplies is based on Krb1.1, which I thought would not be able to communicate via TCP to our W2k3 KDC's. Does anyone know why this is working through PAM, and not at the shell? Our users are not going to need to do kinit at the shell, but I just wonder if ignorance is bliss, or if I'm going to encounter problems anyway with this configuration. Thanks. Ethan Bearman Systems Analyst USCard Operations University of Southern California 213.821.2287 213.740.7253 Fax ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
Ethan Bearman Systems Analyst USCard Operations University of Southern California 213.821.2287 213.740.7253 Fax
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
