similar to: pam_winbind verses pam_krb5

Hi all, I am just after some opinions about the pros and cons of winbind compared to the 'standard' kerberos and ldap methods. I've have already got single sign on working with pam_krb5 and nss_ldap (using SASL/GSSAPI) against SBS 2003 (with MSSFU 3.0) using Debian Sarge as clients/'member servers', and integration of Samba is the next bit I'm looking at. The impressions

A few weeks ago, we upgraded our Red Hat 7.3 and 9 machines to OpenSSH 3.6.1p2 w/ the corresponding version of Simon's GSSAPI patch. All the expected functionality seems to be there: I can ssh/scp/sftp via Kerberos tickets or local password. However, I seem to be getting a new error message in my logs: For Red Hat 7.3: Message from syslogd at gallifrey at Thu Oct 2 17:24:12 2003 ...

A bit more then a curiosity. Mobing from Samba/NT to Samba/AD i'm now switching some 'one-purpose' (mostly containers) from libpam-ldaps to libpam-krb5. In these box normally i don't need user access, so i create 'manually' (eg, in /etc/passwd) only the admin users, and i add only the PAM layer to do external auth. Still i use ssh keys for direct root access, but as an

A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba/attachments/20060525/a6a8d41f/signature.bin

Hi all, I'm trying to get pam_winbind to create ticket cache on login if the AD is available. Please note that this is an Ubuntu Lucid system. When trace this with wireshark it receives a TGT ticket for the user. The current solution is to use pam_krb5 before attempting winbind. That gives me a ticket cache. The main problem is that if the user enters the wrong password it does two login

Hello, Prequalify: I'm quite a novice w/ Kerberos, so my terminology and assumptions may be rough. Also, please CC me since I'm not a list subscriber. I'm running a fairly recent -STABLE [1] and have installed the base Heimdal Kerberos implementation via the MAKE_KERBEROS5 knob in /etc/make.conf. I'm having the problem that I don't see a cached credential file being created

I found the solution, or at least a work around, for my posting: "Can not grant SeMachineAccountPrivilege on Debian Etch" I ended up: 1) ssh to Debian Etch as root 2) smbpasswd -a root 3) issue the "net rpc rights grant ..." command SUCCESS!!! So, that raises the question that what MUST be executed as user root verses a member of ntgroup="Domain Admins"? I suspect

First time poster so be kind :) I was looking at the pam_krb5.c code and noticed that for authentication to succeed getpwnam() has to succeed. Previously I had setup a web site using mod_auth_pam to authenticate against an active directory (AD) server using a pam config like: # auth auth required pam_krb5.so no_ccache no_warn # account account required

openssh-unix-dev at mindrot.org kerberos at ncsa.uiuc.edu We believe there is a security flaw in either OpenSSH and/or RedHat's pam_krb5 module. When a Kerberos principal has the REQUIRES_PWCHANGE (+needchange) flag set, OpenSSH+pam_krb5 will still successfully authenticate the user. Local 'su' and 'login' fail in this case which leads us to believe it's at least

Hi, Just writing here my note about auth_default_realm, pam_krb5 and gssapi. It seems that 'pam' passdb and 'gssapi' auth_mechanism doesn't honor 'auth_default_realm' setting, at least in several setups I deal with. Here is a part of the config: passdb { args = max_requests=100 cache_key=%u%r dovecot driver = pam } auth_default_realm = REALM.COM

A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba/attachments/20060603/fc42cc7d/signature.bin

I have set up LDAP/KRB5 access to my active directory network. If I do a getent passwd, I see the users with a unix UID/GID. If use kinit, I can get a token. If I su to a user, it creates a home folder, and shows correct IDs etc. However the machine will not log in via ssh or the GUI. In secure I see: Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: ccache dir: /tmp Oct 27 11:14:55 rhelads

http://bugzilla.mindrot.org/show_bug.cgi?id=127 Summary: PAM with ssh authentication and pam_krb5 doesn't work properly Product: Portable OpenSSH Version: 3.0.2p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo:

with the following pam.conf entries, after being prompted for a login password the connection is closed: other auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass the system logs the error: sshd[4215]: fatal: input_userauth_info_response_pam: no authentication context if the pam.conf entry is changed to the

http://bugzilla.mindrot.org/show_bug.cgi?id=128 Summary: PAM with ssh authentication and pam_krb5 doesn't work properly Product: Portable OpenSSH Version: 3.0.2p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo:

http://bugzilla.mindrot.org/show_bug.cgi?id=228 Summary: pam_krb5 on Solaris creates credentials with wrong owner Product: Portable OpenSSH Version: 3.1p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org

CentOS Errata and Security Advisory 2008:0907 Moderate Upstream details at : https://rhn.redhat.com/errata/RHSA-2008-0907.html The following updated files have been uploaded and are currently syncing to the mirrors: ( md5sum Filename ) x86_64: 170d6bff250c6421af85fe945afac813 pam_krb5-2.2.14-1.el5_2.1.i386.rpm 52cd3e3625edcd04e98bef7f50c4e19d pam_krb5-2.2.14-1.el5_2.1.x86_64.rpm Source:

CentOS Errata and Bugfix Advisory 2010:0529 Upstream details at : https://rhn.redhat.com/errata/RHBA-2010-0529.html The following updated files have been uploaded and are currently syncing to the mirrors: x86_64: pam_krb5-2.1.17-8.el4_8.1.i386.rpm pam_krb5-2.1.17-8.el4_8.1.x86_64.rpm Source: pam_krb5-2.1.17-8.el4_8.1.src.rpm -- Karanbir Singh CentOS Project { http://www.centos.org/ }

CentOS Errata and Bugfix Advisory 2011:1016 Upstream details at : https://rhn.redhat.com/errata/RHBA-2011-1016.html The following updated files have been uploaded and are currently syncing to the mirrors: ( md5sum Filename ) x86_64: 3720267fe5df2bfb732084f67ecfc7c6 pam_krb5-2.2.14-21.el5.i386.rpm 2806603ba5624fbef4c756b058c971ad pam_krb5-2.2.14-21.el5.x86_64.rpm Source:

http://bugzilla.mindrot.org/show_bug.cgi?id=563 Summary: getaddrinfo() in libopenbsd-compat.a breaks heimdal- linked pam_krb5 Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: Miscellaneous