[Fedora-directory-users] Question re: {KERBEROS} syntax
Richard Megginson
rmeggins at redhat.com
Wed Jul 26 15:59:28 UTC 2006
Tom Ryan wrote:
> It happens to all of us...
>
> I am still having a couple of issues though (for everyone else
> listening :)
>
> I changed pamMapMethod to Entry
> I then set pamIDAttr to aliasedObjectName (out of laziness for now)
>
> When I start the slapd with this, I get this..
>
> pam_passthru-plugin - Warning: The following suffixes listed in
> pamExcludeSuffix or pamIncludeSuffix are not present in this server:
> o=NetscapeRoot
>
> But, the admin server will still start just fine..
The warning is just for your information, for debugging the set up, if
you accidentally set an incorrect suffix. If you don't have the
o=NetscapeRoot suffix on this server, or if you don't want to do pam
passthru on that suffix, you can either omit it from the include/exclude
list, or set the attribute pamMissingSuffix in the pam plugin entry to
"IGNORE".
>
> Regardless, the system does not appear to try to use the
> aliasedobjectname for the user to pass to pam.. (I have
> KRBPRINC at REALM.COM in aliasedobjectname)..
Any errors in the errors log? Does it work any better if your krbprinc
name is all lower case and the realm is all upper case e.g.
krbprinc at REALM.COM?
>
> Any ideas?
>
> Tom
>
> Ps.. If I leave it as RDN, I get no error on startup about suffix and
> as long as my bind dn matches my krb princ in the default realm, it
> works.. So I’m halfway there?
>
>
>
> On 7/26/06 9:18 AM, "Paul Engle" <pengle at rice.edu> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> *Blush* Okay, that's just plain embarrassing. That ended up being
> caused
> by having the 'auth' part in the pam configuratoin but no
> 'account' line
> for pam_krb5.so.
>
> -paul
>
> - --On Tuesday, July 25, 2006 05:49:51 PM -0400 Tom Ryan
> <tomryan at camlaw.rutgers.edu> wrote:
>
> >
> >
> >
> > On 7/25/06 5:47 PM, "Paul Engle" <pengle at rice.edu> wrote:
> >
> >
> >
> > I'm not familiar with that message. I don't recall having any
> issues. I
> > wasn't trying do add it to a live server, though. I was working on a
> > development machine and was able to yank the DS up and down with
> impunity.
> >
> >
> > In this message,
> >
> > http://www.redhat.com/archives/fedora-directory-users/2006-May/msg00081.h
> > tml
> >
> > You noted you had the same error (reset required) when simple
> binding at
> > first..
> >
> > Tom
>
>
>
> - --
> Paul D. Engle | Rice University
> Sr. Systems Administrator | Information Technology - MS119
> (713) 348-4702 | P.O. Box 1892
> pengle at rice.edu | Houston, TX 77251-1892
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFEx2vHCpkISWtyHNsRAkdYAKD9mCDZCSGoG+PDcteXOttgyBZYywCfXjmM
> g1p3GL9gbu4Ja5M880MwZX0=
> =JFVj
> -----END PGP SIGNATURE-----
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060726/c29e2e35/attachment.bin>
More information about the Fedora-directory-users
mailing list