Yest, but you need 2 realms
host/[EMAIL PROTECTED] for the server and ssh/[EMAIL PROTECTED] for service , I ask you if it is ssh or sshd or what LD Le Vendredi 18 Mars 2005 17:02, Douglas E. Engert a �crit�: > Luis Daniel Lucio Quiroz wrote: > > btw, aht realm does openssh looksfor > > > > ssh/[EMAIL PROTECTED] > > No > host/[EMAIL PROTECTED] > > > ?? > > > > Le Vendredi 18 Mars 2005 14:25, Douglas E. Engert a �crit : > >>Ethan Bearman wrote: > >>>You're right - it was right on the cutover - if I add enough groups to > >>>the account, I cannot login via ssh with it, nor can I use kinit. > >>> > >>>I have had success - finally - getting krb5-1.4 to compile. > >> > >>But does it run? Can you use the 1.4.0 kinit? I had some problems > >>with this in 11.0 > >> > >>>How do I > >>>get source code to compile a pam kerberos library based on kerberos > >>>1.3.5 or later? > >> > >>If you only need the pam_krb5 for use with OpenSSH you may not need > >>the PAM at all. OpenSSH can accept Kerberos user and passwords or > >>can call PAM to do the same. So if you compile OpenSSH with > >> --with-kerberos5=<path> and set in the sshd_config file: > >> > >>PasswordAuthentication yes > >>KerberosAuthentication yes > >>KerberosOrLocalPasswd yes to accept both or no to accept only Kerberos > >>passwords usePAM no > >> > >>If you still need PAM we are using an old modified version from F. > >> Cusack. I had started looking at using the pam_krb5-1.3-rc7.tar.gz from > >> RedHat. (Drop me a private note if you need more on this.) > >> > >>One problenm with HP PAM is it does not support pem_env. > >> > >>>Thanks. > >>> > >>>At 12:51 PM 3/17/2005, you wrote: > >>>>Ethan Bearman wrote: > >>>>>At 07:14 AM 3/17/2005, you wrote: > >>>>>>Ethan Bearman wrote: > >>>>>>>I'm getting kerberos error 52 when I try to kinit from hp-ux (11.0 > >>>>>>>running on 9000 series system) to our Windows 2003 AD domain. It > >>>>>>>works for certain admin accounts that have few group memberships, > >>>>>>>but not for regular users. > >>>>>>>I understand this to be due to the large PAC headers Windows is > >>>>>>>using for authorization data, which causes Windows to use TCP > >>>>>>>rather than UDP. Apparently versions of MIT kerberos earlier than > >>>>>>>1.3.1 do not support TCP. > >>>>> > >>>>>I've just run another test and discovered that I can successfully log > >>>>>into the host initially (via PAM kerberos library and SSH), and I > >>>>>don't get error 52. I've got a ticket in my cache and everything. > >>>>>Kerb error 52 only occurs if I'm using kinit from the shell. > >>>> > >>>>You could be right on the cut over point, and maybe addressless vs > >>>>with address > >>>>tickets keep the ticket just small enough. > >>>> > >>>>A way to see what is going on would be to do a network trace of the > >>>>traffic > >>>>to the host. Ethereal works well with Kerberos, and is claimed > >>>>to be available for HP, but I have not tried it on HP. > >>>>http://www.ethereal.com/download.html > >>>> > >>>>>How could this be? I believe the PAM kerberos library that HP > >>>>>supplies is based on Krb1.1, which I thought would not be able to > >>>>>communicate via TCP to our W2k3 KDC's. Does anyone know why this is > >>>>>working through PAM, and not at the shell? > >>>>>Our users are not going to need to do kinit at the shell, but I just > >>>>>wonder if ignorance is bliss, or if I'm going to encounter problems > >>>>>anyway with this configuration. > >>>>>Thanks. > >>>>>Ethan Bearman > >>>>>Systems Analyst > >>>>>USCard Operations > >>>>>University of Southern California > >>>>>213.821.2287 > >>>>>213.740.7253 Fax > >>>>>________________________________________________ > >>>>>Kerberos mailing list [email protected] > >>>>>https://mailman.mit.edu/mailman/listinfo/kerberos > >>>> > >>>>-- > >>>> > >>>> Douglas E. Engert <[EMAIL PROTECTED]> > >>>> Argonne National Laboratory > >>>> 9700 South Cass Avenue > >>>> Argonne, Illinois 60439 > >>>> (630) 252-5444 > >>> > >>>Ethan Bearman > >>>Systems Analyst > >>>USCard Operations > >>>University of Southern California > >>>213.821.2287 > >>>213.740.7253 Fax > >>> > >>>________________________________________________ > >>>Kerberos mailing list [email protected] > >>>https://mailman.mit.edu/mailman/listinfo/kerberos > > > > ________________________________________________ > > Kerberos mailing list [email protected] > > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
