List Info

Thread: RE: FYI: Kerberos on RHEL5
RE: FYI: Kerberos on RHEL5
country flaguser name
United States		 2007-04-06 14:18:37 
Thanks.

I might try that.

Are there any rpms for your pam_krb5? 

Thanks,
Jason

Jason Edgecombe
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
UNC-Charlotte
Phone: (704) 687-3514
 

-----Original Message-----
From: Russ Allbery [mailto:rrastanford.edu] 
Sent: Friday, April 06, 2007 2:47 PM
To: Edgecombe, Jason
Cc: kerberosmit.edu
Subject: Re: FYI: Kerberos on RHEL5

Edgecombe, Jason <jwedgecouncc.edu> writes:

> This is a heads-up for anyone using kerberos on RedHat
Enterprise
Linux
> 5.

> I just solved a problem that's been a royal pain for
me.

> I had console and gdm logins working fine for RHEL5 and
I got kerberos
> single-signon working for ssh, but I had trouble
getting password
> authenticaio working. It would accept my kerberos
password, but I
would
> have any tickets or tokens.

> To solve my problem, I had to enable the use_shmem
option in
> /etc/krb5.conf. for use with sshd.

This is because the Red Hat PAM module tries to use PAM data
to pass
information between the auth module and the session module,
which
OpenSSH
breaks due to its weird PAM handling.

If you use:

    <ht
tp://www.eyrie.org/~eagle/software/pam-krb5/>

you shouldn't have this problem and you shouldn't have to
use shared
memory hacks to work around it.  (I personally would rather
use a
temporary file cache than a shared memory cache because it's
a hell of a
lot easier to debug when something goes wrong.  But mileage
may vary.)

I'm always interested in any shortcomings of my module that
has people
still using other PAM modules for reasons other than "I
want to use the
one that comes with the OS" and will try to fix them as
I have time.

-- 
Russ Allbery (rrastanford.edu)
<http://www.eyrie.org
/~eagle/>

________________________________________________
Kerberos mailing list           Kerberosmit.edu
htt
ps://mailman.mit.edu/mailman/listinfo/kerberos
Re: FYI: Kerberos on RHEL5
country flaguser name
United States		 2007-04-09 12:47:33 
Edgecombe, Jason <jwedgecouncc.edu> writes:

> I might try that.

> Are there any rpms for your pam_krb5? 

Not yet, unfortunately, at least public ones.  There are
Stanford-internal
ones, though.  Here is the spec file that we use internally,
if it's of
any help.  You'll need to change some of the package names.

It's a very simple package.

%define vers 3.4
# Define global variables here
%define rel %(cat /etc/redhat-release | cut -d' ' -f7)
# Define source files here although the tag comes later
%define source0 pam-krb5-%.tar.gz
# 64bit work-around
%define mylibdir lib

Name: pam_krb5-SU
Summary: pam-krb5 provides a Kerberos v5 PAM module that
supports authentication, user ticket cache handling, simple
authorization, and password changing.
Version: %
Release: 1.EL%
Copyright: MIT
Group: System Environment/Base
Source0: http://
archives.eyrie.org/software/kerberos/%
BuildRoot: /var/tmp/%-buildroot
Vendor: Stanford University
Conflicts: pam_krb5

BuildRequires: pam-devel

# no i386 builds unless we have to
%ifarch i386
BuildArch: i686
%endif
# 64bit work-around
%ifarch x86_64
 %define mylibdir lib64
%endif

URL: http://www.stanford.edu/


%description
pam-krb5 provides a Kerberos v5 PAM module that supports
authentication, user ticket cache handling, simple
authorization (via .k5login or checking Kerberos principals
against local usernames), and password changing.
For RedHat systems, add these lines to the top of the
/etc/pam.d/system-auth file sections for auth, account and
session respectively:
auth        sufficient     /%/security/pam_krb5.so
ignore_root minimum_uid=1000
account     required       /%/security/pam_krb5.so
ignore_root minimum_uid=1000
session     optional       /%/security/pam_krb5.so
ignore_root minimum_uid=1000

%prep
%setup -n pam-krb5-% 

%build
./configure
env CFLAGS="-O2" make
RPM_OPT_FLAGS="$RPM_OPT_FLAGS"

%install
if [[ $RPM_BUILD_ROOT != "/" ]]
then
  rm -rf $RPM_BUILD_ROOT
fi

mkdir -p $RPM_BUILD_ROOT/%/security/
mkdir -p $RPM_BUILD_ROOT/usr/share/man/man5

#make install DESTDIR=$RPM_BUILD_ROOT
install -m 0755 pam_krb5.so
$RPM_BUILD_ROOT/%/security/pam_krb5.so
install -m 0644 pam_krb5.5
$RPM_BUILD_ROOT/usr/share/man/man5/pam_krb5.5


%clean
if [[ $RPM_BUILD_ROOT != "/" ]]
then
  rm -rf $RPM_BUILD_ROOT
fi

%files
%defattr(-,root,root)
/%/security/*
/usr/share/man/man5/*

%post

%preun

%postun

%changelog
* Thu Feb 1 2007 Darren Patterson  3.4-1
- updated to 3.4

* Thu Jan 18 2007 Darren Patterson  3.2-1
- updated to 3.2

* Fri Jan 5 2007 Darren Patterson  3.1-1
- updated to 3.1

* Tue Dec 6 2006 Darren Patterson  2.6-1
- updated to 2.6

* Fri Nov 11 2006 Darren Patterson  2.5-1
- updated to 2.5

* Wed Nov 1 2006 Darren Patterson  2.4-2
- fix bug with inserting arch in documentation

* Mon Oct 9 2006 Darren Patterson  2.4-1
- update to 2.4

* Wed Oct 4 2006 Darren Patterson  2.3-1
- new source release, 64bit cleanup for work-around

* Mon Aug 14 2006 Darren Patterson  2.0-1
- initial build

-- 
Russ Allbery (rrastanford.edu)             <http://www.eyrie.org
/~eagle/>
________________________________________________
Kerberos mailing list           Kerberosmit.edu
htt
ps://mailman.mit.edu/mailman/listinfo/kerberos
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )