can't su under kerberos from root to others (was: Active Directory)

Mon, 25 Jul 2005 03:42:09 -0700 

Quoting Guy Teverovsky, from the post of Mon, 04 Jul:
> On Sun, 2005-07-03 at 20:27 +0300, Ira Abramov wrote:
> > 
> > * On winbound machines of the RHEL 3WS variety, I could "su - user" from
> > root without any problem. not so on 3ES, where I got back "su: Invalid
> > password". at some point it magicly fixed itself and I  could not
> > recreate it (good thing?). could it be a kerberos glitch?
>
> Try creating user called "root" in AD and disabling the requirement for
> Kerberos pre-authentication on that account ("Account" tab in ADU&C or
> adding directly 0x200000 to userAccountControl attribute of the
> account).

Didn't work. 

for completion - the current setup is:

* all winbinding removed
* one server running ypserv, users mostly have no password in the shadow
* both NIS server and all clients (about 10 now) use kerberos for
  authentication, ADC is the KDC. both unix/NIS passwords and kerberos
  let you in. (both set as sufficient in pam)

ypserver is 3ESu5. another server is also 3ESu5, both let me su just
fine from root to any user. the rest of the clients are now 4WS ans one
Fedora core 3, all show the same symptom of:
# su - anyone
su: incorrect password

the /etc/pam.d/system-auth file is the same for everyone:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow 100 quiet
account     [default=bad success=ok user_unknown=ignore service_err=ignore 
system_err=ignore] /lib/security/$ISA/pam_krb5.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 
shadow nis
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so

help?

-- 
Mr. Vane
Ira Abramov
http://ira.abramov.org/email/

=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Reply via email to