Granting su rights to users? Using PAM and Kerberos...
Daniel B. Thurman
dant at cdkkt.com
Tue Nov 22 01:46:56 UTC 2005
>-----Original Message-----
>From: fedora-list-bounces at redhat.com
>[mailto:fedora-list-bounces at redhat.com]On Behalf Of Craig White
>Sent: Monday, November 21, 2005 4:21 PM
>To: fedora-list at redhat.com
>Subject: RE: Granting su rights to users? Using PAM and Kerberos...
>
>
>On Mon, 2005-11-21 at 16:03 -0800, Daniel B. Thurman wrote:
>> -----Original Message-----
>> From: Bohmer, Andre ten [mailto:fedora-list-
>> bounces at redhat.com]On Behalf Of Bohmer, Andre ten
>> Sent: Monday, November 21, 2005 1:43 PM
>> To: For users of Fedora Core releases
>> Subject: RE: Granting su rights to users? Using PAM and
>> Kerberos...
>>
>>
>> Hi,
>>
>> Maybe you have to enable local authorization sufficient in
>> order to use su? We're using kerberos v5 to
>authenticate Linux
>> accounts against Active Directory, and had a similar problem
>> on Red Hat EL AS 4.
>> Sorry for the very bad quoting, using OWA ...
>>
>> Cheers,
>> Andre
>>
>> Hmm... What do you mean by 'local authorization sufficient' ?
>>
>> What I noticed was in /var/log/krb5kdc.log is that it was reporting a
>> lot
>> of root at REALM principal was missing in the database so I added the
>> root principal and that appeared to make the log a bit more quieter
>> but
>> the su root problem still remains.
>>
>> I am guessing that somewhere I will need to allow user root access
>> with
>> kerberos as the googles mentioned it for kerberos IV (kdb_edit) but
>> does
>> not say anything about kerberos 5 so I am assuming that kdb_edit is
>> depreciated and something else takes it's place?
>>
>> Another person who responded asked me to check /etc/pam.d/su but
>> I cannot tell what I am supposed to look at. I will need to check to
>> see
>> if kerberos entries needs to be in there since I was some
>instructions
>> from http://www.ofb.net/~jheiss/krbldap/howto.html mentions to add
>> kerberos support to /etc/pam/system-auth but
>> nothing about /etc/pam.d/su ...
>>
>> Any pointers, links, howtos, or whatever is appreciated!
>----
>perhaps you are way beyond this but did you run system-config-
>authorization and enable kerberos authorization?
>
>su does it's own pam stuff as well.
I think this is the area I am trying to figure out. Someone told
me that you have to do *something* to give users the right to
su as root when I did FC1. Dang... I forgot what it was....
>
>also, are you pretty together with saslauthd?
No, not really. I got kerberos and ldap running and
so far seems to do SSL/TLS and SASL/GSSAPI or so it
seems but what saslauthd have to do with this? Beats
me! :-)
>
>/etc/saslauthd.conf ?
No. The above file does not exist in my FC4 system. I
found only one file in the entire filesystems as:
/usr/share/logwatch/default.conf/services/saslauthd.conf
>/etc/sysconfig/saslauthd ?
No. I am not running saslauthd at this time. Odd thing to me is
that I am able to execute sasl with ldap - got that working so I
am not sure about saslauthd. Guess I will have to read up on this
one...
>
>Craig
>
>
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.4/176 - Release Date: 11/20/2005
More information about the fedora-list
mailing list