hosts/services not all
> machines/services. How can I do this?
It is not too flexible, but search for pam_groupdn and pam_member_attribute.
Javier Palacios
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Kerberos princical I try to authenticate as.
If you have users defined on LDAP, maybe the s+c Authentication
Package (http://sourceforge.net/projects/sc-ap/) might help you. And
if your valid users are not available anywhere, it is not hard to
modify to drop the LDAP lookups and simply create a loc
to tweak the scap code to just create the
user account instead of looking up LDAP to check that user actually
exists.
Javier Palacios
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
I was trying to avoid.
And you really hope that Microsoft wil support non-microsoft KDC out of the box?
Even the ksetup.exe is not on the base bundle but in support toos.
Javier Palacios
Kerberos mailing list Kerberos@mit.edu
https://mailm
> So I was looking for alternatives. MS's SFU ssod looks ok but only
> supports NIS password changes (out of the box). I don't suppose anyone
> has changed ssod to support Kerberos password changes.
I guess you already have an AD, so you don't need either CEDAR nor
password sync. The only thing yo
bout NIS, so you know that you may have he same uid in
different boxes. And youger people who never heard about NIS do know
about nss-ldap. And pam_mkhomedir cares about "local profile"
creation.
Javier Palacios
Kerberos mailing list
ing heimdal-ldap for a
long time without problems.
Maybe you need two interfaces, but just because you cannot set the
password using only LDAP tools (unless you know the internals of the
way passwords are encoded into the kerberos repository).
Javier Palacios
_
strict ACL for ldap access
covers online and backup security. And as root can read everything
that's enough for me.
Javier Palacios
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
untu packages (and I
> have to do this using packages). So, I'd like to know, is there a way to
> bypass this issue? Should I use heimdal?
If you experience problems with MIT, try with heimdal. Configuration only
departs from non-ldap backend in the fact that you must supply an ldap
dbname i
hentication server side, as far as I remember it forces you
to use apache (but apache for Windows is OK).
And regarding the application side, the IIS might be a problem, except
if the code is PHP. But you can integrate it with Java (a tomcat
filter at least).
Hope this helps.
Javier Palacios
___
lso I cannot write abhi.com = AMIT.ABHI.COM
> or .abhi.com=AMIT.ABHI.COM because it is already used for AS.ABHI.COM.
>
> So is there any workaround for this problem.
> Changing of DNS name is also not possible.
> Any pointers in this regard will be very helpful.
Not completelly sure,
ctually ask is a single command to do something like
kadmin -q "addprinc -randkey `hostname -f`" && kadmin -q "ktadd `hostame -f`"
Javier Palacios
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
rictly required. The unix schema is actually there, and if you are
ready for some debugging loops you can do everything with ldapmodify
from the unix (fedora/ubuntu) box. And as far as I remember, you don't
need to fix a NIS domain attribute.
Javier Palacios
_
> (a) use mod_auth_ldap for auth, with ldap pointed at a krb5 keytab
> containing authorized principals' credentials,
>
> or,
>
> (b) use mod_auth_krb5 for auth, with ldap setup as krb5's backend db, e.g.,
> dbmodule:db_library = kldap
auth_ldap does not give you credential but password authenti
o query. If the configured one is down, only users already cached are known
> to the system.
> Actually, I set two ldap server in /etc/ldap.conf;
Last time I look at that, only one was allowed.
Javier Palacios
Kerberos mailing list K
expertise
enough for other distros.
The distro you are using is an important detail that could help you
clarify that.
The NFSv4, might introduce differences, but for the other parts maybe
this reference could help you a bit
http://kad.wiki.sourceforge.net/ActiveDirectoryIntegration
Javier Palacios
_
ase for credential based authentication.
Javier Palacios
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
os security and join it to the domain, an also try with
css_adkadmin.
Javier Palacios
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ou need a TGT for
that user/daemon, and either you code the kinit stuff whithin, or you
use kinit from an external cron. I don't see any other alternatives.
Javier Palacios
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
allow any kind of roaming profile,
in case you need it.
Javier Palacios
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Personally, I got many problems while using ktpass to create a keytab.
You could try to use samba in AD mode, or CSS adkadmin.
Javier Palacios
On Thu, Jul 30, 2009 at 4:34 PM, Douglas E. Engert wrote:
>
>
> jarek wrote:
>> Hi all!
>>
>> I've configured Debia
that this will work.
Javier Palacios
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
`kinit username` (without the /admin).
And for the pam_krb5 lines on system-auth, you can add 'debug' and
will get some extra info on syslog.
And following the question from Ryan, I recommend you to check first
with console, then with ssh and finally with any window based login.
Javier P
> login as: mmezzanotti
> Using keyboard-interactive authentication.
> Password:
> Last login: Wed Dec 30 14:00:19 2009 from localhost
> Have a lot of fun...
> mmezzano...@os112:~> ls
> bin Documents Music Public Templates
> Desktop Download Pictures public_html Videos
> mmezza
t; activated. There is to poor documentation on that issue, maybe that wouldnt
> work anyway.
>
If when you say cluster you mean a sort of high availability with IP
takover, your issue could be related to name resolution (inverse
and/or direct). Not every DNS record type serves for kerberos
missing' error, although ldapi is working
correctly.
Is there any special setup required to use ldapi ??
Javier Palacios
P.S. : I'm using a CentOS 5.8 machine
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Tue, Jul 24, 2012 at 6:09 PM, Oliver Loch wrote:
> you have to map the local UID to the corresponding ldap-user.
>
>
ldapi was working right (I've done a similar job using heimdal instead of
MIT).
But looks like ldapi is just ignored by kdb5_ldap_util. Does anyone else
have some idea or shoul
On Wed, Jul 25, 2012 at 6:13 PM, Greg Hudson wrote:
> On 07/25/2012 05:26 AM, Javier Palacios wrote:
> > But looks like ldapi is just ignored by kdb5_ldap_util. Does anyone else
> > have some idea or should I file a bug report?
>
> We don't have support for SASL authe
28 matches
Mail list logo
