authentication using kerberos

69 views
Skip to first unread message

cs-sys

unread,
Apr 14, 2015, 8:41:06 AM4/14/15
to scmma...@googlegroups.com, anita.c...@cs.kuleuven.be

We are trying to set up authentication using pam and kerberos.

/etc/pam.d/common-auth

# here are the per-package modules (the "Primary" block)
auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config

No problems with local and ldap authentication,
but kerberos authentication is not working:

   Incorrect username, password or not enough permission. Please Try again.

scm-manager.log:
   2015-04-14 14:34:44.179 [qtp2012245301-21] WARN  sonia.scm.api.rest.resources.AuthenticationResource - authentication failed for user u0000616

Where can I find more documentation ? Can you help me to set up this way of authentication ?

Best,
Anita

Sebastian Sdorra

unread,
Apr 18, 2015, 4:30:47 PM4/18/15
to scmma...@googlegroups.com
Does the linux user, which is the owner of the scm-manager process, has read access to /etc/shadow? Do you have changed the service name in the scm-manager configuration? Does the kerberos authentication work with ssh?

Sebastian

--
You received this message because you are subscribed to the Google Groups "scmmanager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scmmanager+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

cs-sys

unread,
Apr 21, 2015, 10:08:08 AM4/21/15
to scmma...@googlegroups.com


On Saturday, April 18, 2015 at 10:30:47 PM UTC+2, Sebastian Sdorra wrote:
Does the linux user, which is the owner of the scm-manager process, has read access to /etc/shadow? Do you have changed the service name in the scm-manager configuration? Does the kerberos authentication work with ssh?

 It is a firewall issue. It works fine now.
Thank you for the tip.
Reply all
Reply to author
Forward
0 new messages