Some comments/thoughts inline. Cheers, Guy
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Ira Abramov > Sent: Monday, July 25, 2005 1:26 PM > To: IGLU Mailing list > Subject: can't su under kerberos from root to others (was: Active > Directory) > > > * On winbound machines of the RHEL 3WS variety, I could "su - user" > from > > > root without any problem. not so on 3ES, where I got back "su: Invalid > > > password". at some point it magicly fixed itself and I could not > > > recreate it (good thing?). could it be a kerberos glitch? [Guy] Personally I consider it a VERY BAD thing, when you are able to su to accounts defined in external authentication store. IMHO, you should only be able to su to root only when logged on as account local to the box or to be requested to re-authenticate and provide external account password. > > > > Try creating user called "root" in AD and disabling the requirement for > > Kerberos pre-authentication on that account ("Account" tab in ADU&C or > > adding directly 0x200000 to userAccountControl attribute of the > > account). > > Didn't work. [Guy] Could be related to Kerberos ticket expiration (default = 10 hours). Because the only time you request TGT is when logging on, and there is no process responsible for renewing the TGT, it might affect the way su is doing things (I speculate here, as I'm not quite sure how su handles this). Try comparing the output of "klist" on the boxes that fail/succeed to su. > > for completion - the current setup is: > > * all winbinding removed > * one server running ypserv, users mostly have no password in the shadow > * both NIS server and all clients (about 10 now) use kerberos for > authentication, ADC is the KDC. both unix/NIS passwords and kerberos > let you in. (both set as sufficient in pam) > > ypserver is 3ESu5. another server is also 3ESu5, both let me su just > fine from root to any user. the rest of the clients are now 4WS ans one > Fedora core 3, all show the same symptom of: > # su - anyone > su: incorrect password [Guy] I have observed the same inconsistent behavior with different RH distros (FC 2,3 and RHEL 3). If only someone could give a hint about the way su does it's checks (sorry folks, but no time right now for tracing the code), you at least would know where to look for. ================================================================To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
