Ralf Hildebrandt wrote:
> * Douglas E. Engert <[EMAIL PROTECTED]>: > > >>Did you add the host account to AD? > > > Yes. > > >>Did you run the MS ktpass to set the service principal in the account, > > Yes. > > >>set the password on the acocunt, and generate a kettab file? > > > Yes. > >>Did you copy the keytab file back to the Unix system? > > > Yes. > > >>See >>http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx > > > I did EXACTLY that. > > Meanwhile, I'm down to this in my /etc/pam.d/openvpn-krb5 file: > > auth requisite pam_krb5.so no_ccache debug > account required pam_permit.so > > This works IF AND ONLY IF the account I try to login as (hildeb in my > example) exists in /etc/passwd. I log in using the Kerberos Password > (the password from /etc/passwd DOES NOT WORK), but for unknown reasons > the system insists on the existance of the local account "hildeb" :( Yes. Kerberos is for authentication only. The password file is also being used for authorization to use the local account (i.e. there is an entry) and as a database to hold UID, GID, home and shell. So you still have to have a password file (or NIS or LDAP) for this data. Using Kerberos means they don't need the password field. Also see the .k5login. > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
