[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pam_krb5 not talking to kdc
Kerberos is an authentication mechanism only. It doesn't map principal
names to, say, Unix/POSIX UIDs, GIDs, home directory paths and so on.
You still need /etc/passwd for that. Granted, this sortof sucks and you
need to arrange to use a secure name service.
Unix/POSIX suck too in that the UID/GID namespace is flat. As opposed to
the Windows NT/2K SID namespace.
Also, with Win2k ActiveDirectory KDCs, Kerberos tickets DO contain
information to map the user principal name to winnt/win2k info (e.g.,
SIDs list). Unfortunately MS did this in a rather ugly, non-standard way
and is using the DMCA to publish the details while claiming that they
are a trade secret.
Nico
On Fri, Feb 09, 2001 at 11:07:08AM +0100, Alex Schenkman wrote:
> No I dont !!
> I have an entry in the kdc.
> Maybe I'm missing the point here...
>
> I want to have all my user entries in the kdc (like NIS)
> If I need also a NIS server then I would have two passwords:
> one on the NIS maps and the other within kerberos.
>
>
>
>
> On Thu, 08 Mar 2001, you wrote:
> > man getpwnam
> >
> > The error message below mean,s in all likelyhood, that you don't have an
> > entry in /etc/passwd (or NIS/NIS+ password map, or in your LDAP db,
> > etc...) for 'me'.
> >
> > Nico
> >
> >
> > On Thu, Feb 08, 2001 at 08:31:11PM +0100, Alex Schenkman wrote:
> > > Hi,
> > >
> > > I need some help configuring pam_krb5
> > >
> > > On a client machine, when I do "kinit me" I get a ticket and everyting is fine.
> > > But when I login through pam_krb5 I get:
> > >
> > > login[643]: pam_krb5: getpwnam("me") failed
> > > login[643]: pam_krb5: authentication fails for me
> > >
> > > Doesn't pam_krb5 uses the same config info than kinit ?
> > >
> > > Doing a tcpdump I don't see any attempts to contact the kdc.
> > >
> > > Thanks a lot.
> > --
--