Suse 9.2 help! AFS/Kerberos/LDAP
From: Sensei (noone_at_nowhere.org)
Date: 12/27/04
- Next message: houghi: "Re: Firefox search sorting"
- Previous message: Kadaitcha Man: "Re: Why I ditched Linux and Went Back To Windows XP (Don't waste your time on a Linux Studio)"
- Next in thread: Sensei: "Re: Suse 9.2 help! AFS/Kerberos/LDAP"
- Reply: Sensei: "Re: Suse 9.2 help! AFS/Kerberos/LDAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 27 Dec 2004 17:12:03 +0100
Hi everybody!
I'm facing some problems in making suse 9.2 pro authenticate over out
KDCs and use the afs namespace for home directories.
First, the AFS client seems to support only *one* ip address. I entered
just one and ok, it seems that the cell is working anyway --- is it
enough the CellSrvDB? I don't know anymore!
===[/etc/sysconfig/afs-client]===
THIS_CELL_SERVER="ip.address"
THIS_CELL_SERVER_NAME="cell.name"
Now, the problem is Kerberos5 and LDAP. We have MIT K5 along with
OpenLDAP just for uid/gid and home dirs both on debian stable (we have
other infos of course, but none of them are important from this point of
view). LDAP has *NO* base dn. We have gentoo, debian, knoppix and redhat
clients all working, but no luck with suse!
I can kinit and I gain the right token. The authentication from pam and
nss_ldap are NOT working. Anyway, I don't see anything bad in my
configuration:
===[/etc/openldap/ldap.conf]===
base
host dir.cell.name slave.cell.name
nss_base_passwd
nss_base_shadow
nss_base_group
===[/etc/nsswitch.conf]===
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files
aliases: files
===[/etc/pam.d/login]===
auth requisite pam_unix2.so nullok #set_secrpc
auth required pam_krb5afs.so use_first_pass nodelay
auth required pam_securetty.so
auth required pam_nologin.so
#auth required pam_homecheck.so
auth required pam_env.so
auth required pam_mail.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass
use_authtok
password required pam_krb5afs.so
session required pam_unix2.so none # debug or trace
session required pam_limits.so
session required pam_resmgr.so
===[/etc/sysconfig/ldap]===
BASE_CONFIG_DN=""
BIND_DN=""
===[/etc/krb5.conf]===
[libdefaults]
clockskew = 300
default_realm = CELL.NAME
[realms]
CELL.NAME = {
kdc = krb.cell.name
kdc = slave.cell.name
default_domain = cell.name
kpasswd_server = krb.cell.name
}
[domain_realm]
.cell.name = CELL.NAME
cell.name = CELL.NAME
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
afs_cells = cell.name
}
I get this in /var/log/messages:
Dec 27 16:25:20 plm02 -- MARK --
Dec 27 16:41:43 plm02 login[15375]: pam_krb5afs: unable to determine
uid/gid for user
Dec 27 16:41:43 plm02 login[15375]: pam_krb5afs: authentication fails
for `username'
Dec 27 16:41:43 plm02 login[15375]: pam_krb5afs: pam_sm_authenticate
returning 10 (User not known to the
underlying authentication module)
Dec 27 16:41:50 plm02 login[15375]: FAILED LOGIN 1 FROM /dev/tty1 FOR
UNKNOWN, User not known to the
underlying authentication module
Dec 27 16:41:54 plm02 modprobe: FATAL: Could not load
/lib/modules/2.6.8-24-default/
modules.dep: No such file or directory
Anyway... I can use kerberos, afs but NOT ldap with nsswitch. LDAP is
working CORRECTLY under GSSAPI!
plm02:/var/log # klist
klist: No ticket file: /tmp/krb5cc_0
plm02:/var/log # tokens
Tokens held by the Cache Manager:
--End of list--
plm02:/var/log # kinit username
username@CELL.NAME's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
plm02:/var/log # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: username@CELL.NAME
Issued Expires Principal
Dec 27 16:44:36 Dec 28 02:44:36 krbtgt/CELL.NAME@CELL.NAME
Dec 27 16:44:36 Dec 28 02:44:36 afs/cell.name@CELL.NAME
plm02:/var/log # tokens
Tokens held by the Cache Manager:
Tokens for afs@cell.name [Expires Dec 28 02:44]
--End of list--
I can use AFS after all:
plm02:/var/log # cd /afs/cell.name/usr/u/username/private/
plm02:/afs/cell.name/usr/u/username/private/ # touch a
plm02:/afs/cell.name/usr/u/username/private/ # rm a
plm02:/afs/cell.name/usr/u/username/private/ # fs listacl .
Access list for . is
Normal rights:
system:administrators rlidwka
username rlidwka
But nsswitch isn't working!
plm02:/afs/cell.name/usr/u/username/private/ # groups username
id: username: No such user
plm02:/afs/cell.name/usr/u/username/private/ # ldapsearch "cn=plm"
SASL/GSSAPI authentication started
SASL username: username@CELL.NAME
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: cn=plm
# requesting: ALL
#
# plm
dn: cn=plm
objectClass: top
objectClass: posixGroup
cn: plm
gidNumber: 10002
memberUid: username
description: afs plm group
# search result
search: 5
result: 0 Success
# numResponses: 2
# numEntries: 1
You're using SuSE... so... what's going on here? :(
--
Sensei <mailto:senseiwa@tin.it> <pgp:8998A2DB>
<icqnum:241572242>
<yahoo!:sensei_sen>
<msn-id:sensei_sen@hotmail.com>
- Next message: houghi: "Re: Firefox search sorting"
- Previous message: Kadaitcha Man: "Re: Why I ditched Linux and Went Back To Windows XP (Don't waste your time on a Linux Studio)"
- Next in thread: Sensei: "Re: Suse 9.2 help! AFS/Kerberos/LDAP"
- Reply: Sensei: "Re: Suse 9.2 help! AFS/Kerberos/LDAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
