On Thu, Mar 26, 2009 at 6:48 PM, John Koelndorfer <[email protected]> wrote: > So, here's a quick example in case I wasn't clear enough: > I ssh to our server using my domain credentials, kdorf and password. > > If I have a local user account on that machine and ldap is *not* listed > in nsswitch.conf, I can login using my domain password and a valid > Kerberos ticket is fetched for me -- I get access to my home. > > If I don't have a local account on that machine and ldap *is* listed in > nsswitch.conf, I can login using my domain password but `klist` shows > that I do *not* have a valid Kerberos ticket. Home directory access is > denied.
You are basically looking at the wrong place. To use or not kerberos ticket you need to look at pam configuration, and be careful to disable pam_ldap. If your distro is RedHat derived, it is quite easy to see either with authconfig-tui or the Administration->Authentication menu. User information is clearly separated from authentication. LDAP is in both places, but kerberos only in one. I don't know a similar tool for debian distros (there was a helper for ubuntu which I cannot find right now), and lack expertise enough for other distros. The distro you are using is an important detail that could help you clarify that. The NFSv4, might introduce differences, but for the other parts maybe this reference could help you a bit http://kad.wiki.sourceforge.net/ActiveDirectoryIntegration Javier Palacios ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
