Granting su rights to users? Using PAM and Kerberos...
Craig White
craigwhite at azapple.com
Tue Nov 22 00:20:46 UTC 2005
On Mon, 2005-11-21 at 16:03 -0800, Daniel B. Thurman wrote:
> -----Original Message-----
> From: Bohmer, Andre ten [mailto:fedora-list-
> bounces at redhat.com]On Behalf Of Bohmer, Andre ten
> Sent: Monday, November 21, 2005 1:43 PM
> To: For users of Fedora Core releases
> Subject: RE: Granting su rights to users? Using PAM and
> Kerberos...
>
>
> Hi,
>
> Maybe you have to enable local authorization sufficient in
> order to use su? We're using kerberos v5 to authenticate Linux
> accounts against Active Directory, and had a similar problem
> on Red Hat EL AS 4.
> Sorry for the very bad quoting, using OWA ...
>
> Cheers,
> Andre
>
> Hmm... What do you mean by 'local authorization sufficient' ?
>
> What I noticed was in /var/log/krb5kdc.log is that it was reporting a
> lot
> of root at REALM principal was missing in the database so I added the
> root principal and that appeared to make the log a bit more quieter
> but
> the su root problem still remains.
>
> I am guessing that somewhere I will need to allow user root access
> with
> kerberos as the googles mentioned it for kerberos IV (kdb_edit) but
> does
> not say anything about kerberos 5 so I am assuming that kdb_edit is
> depreciated and something else takes it's place?
>
> Another person who responded asked me to check /etc/pam.d/su but
> I cannot tell what I am supposed to look at. I will need to check to
> see
> if kerberos entries needs to be in there since I was some instructions
> from http://www.ofb.net/~jheiss/krbldap/howto.html mentions to add
> kerberos support to /etc/pam/system-auth but
> nothing about /etc/pam.d/su ...
>
> Any pointers, links, howtos, or whatever is appreciated!
----
perhaps you are way beyond this but did you run system-config-
authorization and enable kerberos authorization?
su does it's own pam stuff as well.
also, are you pretty together with saslauthd?
/etc/saslauthd.conf ?
/etc/sysconfig/saslauthd ?
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the fedora-list
mailing list