(Ez a cikk magyarul is olvasható)
Install the nessecary PAM library:
sudo apt-get install libpam-krb5
Login as a Unix user - you can use the account you have been working as. Look at the file /etc/pam.d/common-auth :
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass
As you can see the system will try to log you in using Kerberos. If that fails then the local accounts are tried an if that too fails a final chance is taken against LDAP. Logon with an LDAP user jdoe. John does not have a Kerberos principal yet, but LDAP will let him in. Observe the login process:
Let us cretate the Kerberos principal of jdoe (our commands in bold):
We have seen what happens if we use the LDAP password. The command klist does not give output but you can use kinit (in this case you have to enter the Kerberos password). After that the output of klist tells that Kerberos knows you.
If you log on using the Kerberos password in auth.log the following can be observed:
tail -f /var/log/auth.logYou can see that first we try to auth against the Kerberos server and we fail. And the we get in by other means. Once logged in try and issu the command klist . You will have no results. Try issuing kinit but as jdoe ha no principal of his own, he has to use one belonging to someone else.
Let us cretate the Kerberos principal of jdoe (our commands in bold):
kadmin.local: addprinc -x dn="uid=jdoe,ou=People,dc=itthon,dc=cucc" jdoe WARNING: no policy specified for jdoe@ITTHON.CUCC; defaulting to no policy Enter password for principal "jdoe@ITTHON.CUCC": password Re-enter password for principal "jdoe@ITTHON.CUCC": password Principal "jdoe@ITTHON.CUCC" created.The passwords for LDAP and for Kerberos are different. Both can be used to log on.
We have seen what happens if we use the LDAP password. The command klist does not give output but you can use kinit (in this case you have to enter the Kerberos password). After that the output of klist tells that Kerberos knows you.
If you log on using the Kerberos password in auth.log the following can be observed:
ubuserver login[779]: pam_krb5(login:auth): user jdoe authenticated as jdoe@ITTHON.CUCCAnd klist can confirm that.
If you issue the command passwd Ubuntu tries to change the Kerberos password in both cases (try it, you will see that you will be asked the Kerberos password). If you fail to enter the password then you will be asked for the LDAP password too in both cases. The cause of this behaviour are the settings in /etc/pam.d/common-password :
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass password requisite pam_deny.so password required pam_permit.soWe have still some things to arrange:
- We have to enable logon to the clients - this means slightly more that installing libpam-krb5.
- We have to arrange things in a way that we will not have to create a Kerberos principal for every LDAP user by hand. To achieve this we are going to use the LDAP overlay smbkrb5pwd . This is the one we have been using to sync the Linux-Samba passwords so far.
- We have to come up with a soultion that prevents the users form having two unsynchronised passwords.
Nincsenek megjegyzések:
Megjegyzés küldése