2

I have a central authentication server with OpenLDAP set up and populated, and Kerberos 5, also populated.

On an Ubuntu LTS machine, I set up nslcd and kerberos client stuff. This way, issuing the

id gergely.polonkai

tells me I'm gergely.polonkai(10000) in group engineering(10000). Also, issuing

kinit gergely.polonkai

asks for my password, and creates my keychain (klist shows my TGT).

Thus, I assume every bit works fine. But when I add kerberos stuff to pam:

auth sufficient pam_krb5.so
account sufficient pam_krb5.so
session optional pam_krb5.so

the logs say gergely.polonkai authenticated successfully, then says gergely.polonkai is unknown to the underlying authentication module.

Edit:

getent passwd gergely.polonkai

gets me the correct data. However

getent shadow gergely.polonkai

tells me nothing (trying both as root).

Edit:

adding shadowAccount objectClass to the user fixed the shadow problem. However, the original error still persists.

Am I missing something?

GergelyPolonkai
  • 359
  • 1
  • 5
  • 12
  • The first thing I would try is a more straightforward username that is 8 chars or less. If that works try a longer username that is just a-z. It may be that the pam modules are not handling the username correctly. '.' is a special char that needs quoting in earlier versions of kerberos and it may be causing problems in the pam module code. – Fred the Magic Wonder Dog Feb 23 '14 at 21:49
  • My packages are recent (kinda. it’s a CentOS 6.4). The answer was a bit more obvious; see my own answer below. – GergelyPolonkai Feb 24 '14 at 20:46

1 Answers1

0

It seemed that I was missing something fundamental. After messing up my whole PAM and NSS configuration by hand, I reinstalled the machine (it was a fresh install before my messing). After installing all the necessary packages I did before, running one single magic command by hand did the trick:

pam-auth-update

As soon as I get back to that machine tomorrow, I will post the resulting pam.d files.

GergelyPolonkai
  • 359
  • 1
  • 5
  • 12