-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Simon Lyngshede schrieb: | On Thu, Apr 14, 2005 at 12:59:13PM +0200, Lars Schimmer wrote: | |>-----BEGIN PGP SIGNED MESSAGE----- |>Hash: SHA1 |> |>Hi! |> |>I setup pam conf on debian sarge like it was written here: |>http://mailman.mit.edu/pipermail/kerberos/2004-October/006601.html |> |>And tried to login and get my tokens. |> |>I can login, but can't get any tickets. I hace to call kinit manually to |>get a |>ticket and after that aklog to obtain a token. |>Has anyone a working conf on debian sarge for me? |> | | | The following works on my setup, Debian Sarge, Kerberos 5 and OpenAFS | | You need the libpam-openafs-session and libpam-krb5 (MIT Kerberos) | | The following is just the Kerberos and AFS part of my PAM | configuration, note that there is no common-password, I don't use it, | but I suspect that it wouldn't be much different. | | /etc/pam.d/common-account: | account sufficient pam_krb5.so | | /etc/pam.d/common-account: | auth sufficient pam_krb5.so | | /etc/pam.d/common-session: | session optional pam_krb5.so | session optional pam_openafs_session.so | | The "KerberosTgtPassing yes" won't work on Sarge, as the Debian | package doesn't support that, so you'll need to compile OpenSSH | yourself. Step 2 and 3 in the guide you refere to are redundant if let | PAM handle everything. The downside is that you won't be able to use | ssh keys, which brings you back to recompiling SSH yourself. The | ssh-krb5 package doesn't really seem to contain as many features as | one would like. I might be wrong, but I failed to make it work.
So, changed PAM to nearly ONLY that entrys, and yes, it works. Kerberos5 Auth user can login and get tickets and tokens. *fine* And in common-auth I let the unix login uncommented, and root can login, to. So far so goog :-) Now the experienced topics. I've installed the latest ssh-krb package. But limited time today, so tomorrow I'll test ticketforwarding and login with ssh keys. Oh, one more question: PAM is really a mess for me. How to change the kscreensaver to work with kerberos? I think it will be very annoying if the user locks the screen and can't unlock it...
| Simon
Thx so far Lars - -- - ----------------------------------------------------------------- Technische Universit�t Braunschweig, Institut f�r Computergraphik Tel.: +49 531 391-2109 E-Mail: [EMAIL PROTECTED] PGP-Key-ID: 0xB87A0E03
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCXnBuVguzrLh6DgMRAnKSAKC/A/wPk6xGQpeSa0nD0us6cfs7/wCeLQjX aPIZ+XaP4LSNBgvHb7Go5w8= =J3jN -----END PGP SIGNATURE----- _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
