Mdthbs

Interaction between Leonin Warleader and Divine Visitation

Why are certain quantities so fundamental to physics

My new Acer Aspire 7 doesn't have a Legacy Boot option, what can I do to get it?

Have there ever been other TV shows or Films that told a similiar story to the new 90210 show?

Have made several mistakes during the course of my PhD. Can't help but feel resentment. Can I get some advice about how to move forward?

Why should I pay for an SSL certificate?

Has there ever been a truly bilingual country prior to the contemporary period?

Are there any OR challenges that are similar to kaggle's competitions?

What are some tips and tricks for finding the cheapest flight when luggage and other fees are not revealed until far into the booking process?

Number of matrices with bounded products of rows and columns

Do I need to start off my book by describing the character's "normal world"?

Is it alright to say good afternoon Sirs and Madams in a panel interview?

What's the relationship betweeen MS-DOS and XENIX?

How do I answer an interview question about how to handle a hard deadline I won't be able to meet?

How to render "have ideas above his station" into German

Can anybody tell me who this Pokemon is?

What should I do if actually I found a serious flaw in someone's PhD thesis and an article derived from that PhD thesis?

Animate flow lines of time-dependent 3D dynamical system

Why does this image of cyclocarbon look like a nonagon?

How to train a replacement without them knowing?

Why should P.I be willing to write strong LOR even if that means losing a undergraduate from his/her lab?

What should I do with the stock I own if I anticipate there will be a recession?

global variant of csname…endcsname

programming a recursive formula into Mathematica and find the nth position in the sequence

How to make CentOS iterate over principals in .k5login (take password for one of them)

pam_faillock and AD/CentOS 7.2Debian and CentOS PAM rules matchingAD Users Cannot Login Through GDM/LightDMUser missing from login greeter, despite `SystemAccount=false` in /var/lib/AccountServices/users file

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

0

at my work, we use combination of Debian and newly some CentOS 7 machines. We have a group of kerberos+LDAP servers to provide means of user authentication to another machines. Everything is fine until now.

I was tasked to create a new CentOS7 users webserver which should be kerberized to allow users to log in with their password.
Every webpage should have its own name and a specific group of people should be able to login to manage it.

But it is for normal BFUs so no krb tickets, just passwords!

In Debian still not a problem. Kerberize the server and put a .k5login file containing user principals within home dir of webpage. Then add a search_k5login onto the pam_krb5 line in /etc/pam.d/common-auth.
So I would have something like:

/etc/pam.d/common-auth:

auth    [success=2 default=ignore]  pam_krb5.so minimum_uid=1000 search_k5login

/srv/www/webpage/.k5login:

user1@COMPANY.CZ

user2@COMPANY.CZ

With this the Debian takes the password provided by users and try it on those krb principals, so user can login from stupid windows putty/ftp/etc. without even knowing something like krb exists.

But now I need to do this on CentOS7 and can't get something like this working. (logging with krb5 ticket is working without problem)
And it seems if the answer is written somewhere where I can't rech it with my searches.

I have tried:

- just add the same option to pam

- study krb5.conf and pam_krb5 manuals

- waste several hours on unsuccessful search for HowTos/(video)tutorials etc.

Does anybody know how to do this ?

TL;DR

I need to get server with:

- CentOS7

- krb5 client

- pam_krb5

To accept login with password and try the password on krb5 principals in .k5login file and can't find a way how to do it .

centos login kerberos

share|improve this question

asked 2 days ago

PrazapePrazape

1

New contributor

Prazape is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Check the logs? Does it say why it's failing? I assume you added 'search_k5login' into /etc/pam.d/password-auth on the auth line with pam_krb5.so?
  
  – jsbillings
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @jsbillings Yes, I tried to add the same option to /etc/pam.d/password-auth in centos. Logs are not helping. The pam_krb5 simply fails with: pam_krb5[26553]: authentication fails for 'webpage' (webpage@COMPANY.CZ): User not known to the underlying authentication module (Client not found in Kerberos database) IMHO it does not try the principals in .k5login (Users for webpages on the debian machine are also not in krb DB)
  
  – Prazape
  yesterday
  
  
  

  
  
  
  

add a comment | 

0

at my work, we use combination of Debian and newly some CentOS 7 machines. We have a group of kerberos+LDAP servers to provide means of user authentication to another machines. Everything is fine until now.

I was tasked to create a new CentOS7 users webserver which should be kerberized to allow users to log in with their password.
Every webpage should have its own name and a specific group of people should be able to login to manage it.

But it is for normal BFUs so no krb tickets, just passwords!

In Debian still not a problem. Kerberize the server and put a .k5login file containing user principals within home dir of webpage. Then add a search_k5login onto the pam_krb5 line in /etc/pam.d/common-auth.
So I would have something like:

/etc/pam.d/common-auth:

auth    [success=2 default=ignore]  pam_krb5.so minimum_uid=1000 search_k5login

/srv/www/webpage/.k5login:

user1@COMPANY.CZ

user2@COMPANY.CZ

With this the Debian takes the password provided by users and try it on those krb principals, so user can login from stupid windows putty/ftp/etc. without even knowing something like krb exists.

But now I need to do this on CentOS7 and can't get something like this working. (logging with krb5 ticket is working without problem)
And it seems if the answer is written somewhere where I can't rech it with my searches.

I have tried:

- just add the same option to pam

- study krb5.conf and pam_krb5 manuals

- waste several hours on unsuccessful search for HowTos/(video)tutorials etc.

Does anybody know how to do this ?

TL;DR

I need to get server with:

- CentOS7

- krb5 client

- pam_krb5

To accept login with password and try the password on krb5 principals in .k5login file and can't find a way how to do it .

centos login kerberos

share|improve this question

asked 2 days ago

PrazapePrazape

1

New contributor

Prazape is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Check the logs? Does it say why it's failing? I assume you added 'search_k5login' into /etc/pam.d/password-auth on the auth line with pam_krb5.so?
  
  – jsbillings
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @jsbillings Yes, I tried to add the same option to /etc/pam.d/password-auth in centos. Logs are not helping. The pam_krb5 simply fails with: pam_krb5[26553]: authentication fails for 'webpage' (webpage@COMPANY.CZ): User not known to the underlying authentication module (Client not found in Kerberos database) IMHO it does not try the principals in .k5login (Users for webpages on the debian machine are also not in krb DB)
  
  – Prazape
  yesterday
  
  
  

  
  
  
  

add a comment | 

at my work, we use combination of Debian and newly some CentOS 7 machines. We have a group of kerberos+LDAP servers to provide means of user authentication to another machines. Everything is fine until now.

I was tasked to create a new CentOS7 users webserver which should be kerberized to allow users to log in with their password.
Every webpage should have its own name and a specific group of people should be able to login to manage it.

But it is for normal BFUs so no krb tickets, just passwords!

In Debian still not a problem. Kerberize the server and put a .k5login file containing user principals within home dir of webpage. Then add a search_k5login onto the pam_krb5 line in /etc/pam.d/common-auth.
So I would have something like:

/etc/pam.d/common-auth:

auth    [success=2 default=ignore]  pam_krb5.so minimum_uid=1000 search_k5login

/srv/www/webpage/.k5login:

user1@COMPANY.CZ

user2@COMPANY.CZ

With this the Debian takes the password provided by users and try it on those krb principals, so user can login from stupid windows putty/ftp/etc. without even knowing something like krb exists.

But now I need to do this on CentOS7 and can't get something like this working. (logging with krb5 ticket is working without problem)
And it seems if the answer is written somewhere where I can't rech it with my searches.

I have tried:

- just add the same option to pam

- study krb5.conf and pam_krb5 manuals

- waste several hours on unsuccessful search for HowTos/(video)tutorials etc.

Does anybody know how to do this ?

TL;DR

I need to get server with:

- CentOS7

- krb5 client

- pam_krb5

To accept login with password and try the password on krb5 principals in .k5login file and can't find a way how to do it .

centos login kerberos

share|improve this question

asked 2 days ago

PrazapePrazape

1

New contributor

Prazape is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

/etc/pam.d/common-auth:

auth    [success=2 default=ignore]  pam_krb5.so minimum_uid=1000 search_k5login

/srv/www/webpage/.k5login:

user1@COMPANY.CZ

user2@COMPANY.CZ

share|improve this question

asked 2 days ago

PrazapePrazape

1

New contributor

Prazape is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 2 days ago

PrazapePrazape

1

New contributor

Prazape is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 2 days ago

PrazapePrazape

1

New contributor

Prazape is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 2 days ago

PrazapePrazape

1