# Replace NIS with LDAP/Kerberos

## rwallace

As the subject says I'm trying to replace NIS on my network with a combination of LDAP and Kerberos.  I'm using OpenLDAP v2.0.27 and mit-krb5 v1.2.7.  I've previously used just OpenLDAP as a solution, but wanted to try something a little different this time to get experience with Kerberos.  So far, it seems pretty cool.

I've got the servers installed and setup, mostly by following the documentation for the projects and this helpful little site http://ofb.net/~jheiss/krbldap/.  All the tests work fine.  I can use kadmin to create new principals and I can connect to the ldap server using all the methods listed there.

So, I've created a couple of principals in kerberos and added a user entry into the ldap server.  I installed and configured pam_krb5 (I'll attach the /etc/pam.d/system-auth file at the end) and nss_ldap on the server to do testing.

I know Kerberos is working because I can use kinit to get tickets for the principal I created using kinit.  I know OpenLDAP is working cause I loaded some users and am able to search for them.  nss_ldap is also setup properly, it seems, cause I'm able to do 'id username' and 'getent passwd username' and get the values I think entered in to the directory.

I've done my best on the pam configuration but I don't think it's quite right.  I can login from a local tty on the server but can't login via ssh or login on a tty on a client machine.  The client machines are all configured the same way as the client apps (nss_ldap and pam_krb5) on the server.  The only way to get the client machines to login is if there is a local account of the same name.  The password doesn't have to be set or anything, there just has to be an entry in the passwd file.  I'm not sure what exactly this means but I'm guessing it's the reason I get the 'illegal user' in the log messages below.

I've been wracking by brain over this all day and am just about burned out.  The only error messages that seem to come up are:

On the server (when trying to ssh):

May 21 22:35:31 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=localhost

May 21 22:35:33 [sshd] Failed password for illegal user rwallace from 127.0.0.1 port 32846 ssh2

May 21 22:35:38 [sshd] Failed password for illegal user rwallace from 127.0.0.1 port 32846 ssh2

May 21 22:35:39 [sshd] Failed password for illegal user rwallace from 127.0.0.1 port 32846 ssh2

May 21 22:35:39 [sshd(pam_unix)] 3 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=localhost

and

On the client (when logging in from a tty):

May 21 22:19:27 [login(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=/dev/vc/1 ruser= rhost=  user=root

May 21 22:19:27 [login] FAILED LOGIN 1 FROM /dev/vc/1 FOR root, Authentication failure

Any help figuring all this out would be greatly appreciated.  Also, I would be glad to do an informal writeup of how I got this all to work on gentoo once I do get it working if any one is interested.  Thanks.

Rich

Here's that system-auth file as promised:

#%PAM-1.0

auth            required        /lib/security/pam_env.so

auth            sufficient      /lib/security/pam_unix.so likeauth nullok nodelay

auth            sufficient      /lib/security/pam_krb5.so debug use_first_pass

auth            required        /lib/security/pam_deny.so

account         required        /lib/security/pam_unix.so

account         required        /lib/security/pam_access.so

account         [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore]       /lib/security/pam_krb5.so debug

account         required        /lib/security/pam_access.so

password        required        /lib/security/pam_cracklib.so retry=3

password        sufficient      /lib/security/pam_unix.so nullok md5 shadow use_authtok

password        sufficient      /lib/security/pam_krb5.so use_authtok debug

password        required        /lib/security/pam_deny.so

session         required        /lib/security/pam_limits.so

session         required        /lib/security/pam_unix.so

session         sufficient      /lib/security/pam_krb5.so debug

----------

## Praxxus

Have you done anything to your /etc/nsswitch.conf file?  I've set up our LAN to use Samba/OpenLDAP authentication (no kerberos), and here's the /etc/nsswitch.conf file on my desktop machine (or at least the relevant parts):

```

passwd:      files ldap

shadow:      files ldap

group:       files ldap

```

Which means when a service tries to authenticate, it first checks the /etc/(passwd|shadow|group) files, and if the user is not found there, it consults LDAP.

I'm not sure if the entry would be the same with kerberos or not.  

Hope this helps!

----------

## rwallace

Yup, I've got nss_ldap installed and configured.  Executing 'id username' returns the expected values from the ldap database.  At this point I'm thinking I might use pam_ldap instead of pam_krb5 and have OpenLDAP refer to the Kerberos server for authentication.  The only thing I'm not sure about in that case is whether the kerberos ticket will get sent back to the user or not.

At this point, though, I'm starting to wonder about the point of even doing Kerberos.  I like the ticket system and I may use afs which means kerberos kinda makes sense (at least from what I've read).

Any ideas?  Is kerberos more secure than for password storage than openldap?  Or is the primary advantage in the use of kerberos tickets?

Thanks for the input.

----------

## rwallace

Ok, here's the latest after hacking away at this all day.  I did manage to get client workstations able to authenticate and login using the pam_krb5 module in portage.

While playing around a bit I found that the 'passwd' command fails with this module.  It simply gives me a "Authentication token manipulation error" and dies right away, w/o prompting for any input.  

In my grepping (or should that be googling?) of the web I found an alternative module here http://sourceforge.net/projects/pam-krb5/.  This module worked nearly seamlessly with the configuration I already had on the server and the test workstation w/o having to change the /etc/pam.d/system-auth file much.  I only changed the account line for pam_krb5 to be 'sufficient' instead of the big ugly mess it was before (it wasn't letting root login with the mess, but everything works great with sufficient).  Anyone know what it would take to get this module in portage?  The one in there is a little dated, IMHO.

I tested as much as I could with this and am happy to say things are looking good.  I can authenticate to the server from the workstations using the pam_krb5/nss_ldap combination and am even able to change passwords by just using the passwd command, no need for kpasswd (which is good if you want to use cracklib to enfore good passwords).

Only thing I have yet to figure out is why openssh is still giving me problems.  I know I can configure it to use Kerberos directly, but I would like to figure out why the OpenSSH->PAM->Kerberos/LDAP isn't working.

Once I get that all done and get TLS/SSL working for the LDAP connections I'll make a list of steps I took and post them here (unless there is a better place).

----------

## zen_guerrilla

 *rwallace wrote:*   

> Once I get that all done and get TLS/SSL working for the LDAP connections I'll make a list of steps I took and post them here (unless there is a better place).

 

I'm interested to replace my current nis/nfs/autofs (linux) & samba (win) setup with openldap/krb5 & openafs/samba. 

Any further results of your setup or even better a place with how-to's for all that ?

I've never used ldap & autofs before  :Confused: 

----------

## rwallace

I'm still kinda hacking the openafs stuff together.  I'm hoping to create some ebuilds for some of the packages not in portage.

But, if you want to get going and try hacking things together yourself, here are some links I've found valuable:

1) Replacing NIS with Kerberos and LDAP (http://ofb.net/~jheiss/krbldap/)

A good starting place for replacing NIS with the ldap/krb5 combination.  Once you get people logging in using this and the pam module below you're half way there.

2) Sourceforge pam_krb5 module (http://sourceforge.net/projects/pam-krb5/)

This module has more functionality than that in the portage tree and will even grab afs tokens for you users when they login (more on this later).

You should at this point have your users authenticating using the ldap/krb5 combination, time to move onto openafs!  For reasons listed on these forums force version 1.2.8 of openafs to be installed instead of the default 1.3.2.

3) Gentoo OpenAFS howto (http://www.gentoo.org/doc/en/openafs.xml)

Good way to get your basic setup going.  You want to configure openafs to use the kaserver that it provides for testing, we'll replace it later with krb5.  One other hint: Make sure the cell that you setup is the same as the realm you setup for krb5.  Things get very tricky if you don't.

4) AFS-KRB5 Migration kit (ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/)

Download the afs-krb5-2.0.tar.gz file and compile it.  This package provides aklog and asetkey used below.

5) Replace kaserver in OpenAFS with krb5 (https://lists.openafs.org/pipermail/openafs-info/2002-March/003872.html)

This is a VERY basic howto on steps needed to get afs and krb5 to play together.  It also has some links to some other sites with some information on this subject.

6)  OpenAFS mailing list archives (https://lists.openafs.org/pipermail/openafs-info/)

I've been posting questions as I run into problems along the way and have been getting the answers to many of my questions there.  One thing you'll want to know from these is that you should have the realm and cell name be the same (except the realm should be all caps) and you need to create a user using the pts command for afs to recgonize you after getting the tickets from krb5 and token from afs.  There's also some stuff on getting libkrbafs and pam_krb5afs working (mentioned below)

7) krbafs library (http://web.mit.edu/openafs/krbafs/)

This is needed if you want to use pam_krb5afs (part of the pam_krb5 module at (2)) as your login method, which I highly recommend.  You will need some tweaks for it, such as the afs_string_to_key copied from the kth-krb source.  There are also some build problems that I've been having that you can find in the mailing list.

All that is pretty much as far as I've gotten so far.  I've got pam_krb5afs working on my clients so they authenticate off the krb5 server and automagically grab afs tokens.  My home directory is now stored in afs and things seem to generally work alright.  The only problem I'm having and anticipate are from gdm and gnome session stuff.  Right now gdm won't let me login because of a permissions problem.  This stuff is all in the archives, though, so hopefull I'll be able to work through it pretty quickly.

If you have any questions post 'em and I'll answer them the best I can.  I'm about to start a new job as well as my own business so I don't know when I'll get around to writing a full how-to, but this should get you on the right path.  It's more than I had  :Wink: 

Good luck and have fun!Last edited by rwallace on Mon Sep 29, 2003 10:49 pm; edited 1 time in total

----------

## zen_guerrilla

Thanx a lot for answering. The url's u provided seem quite great, I'll RTFM.

Currently I'm using slack on all my boxes & I'm thinking of replacing it with debian (stable on servers, unstable on workstations), but I guess the process is -more or less- the same as with gentoo. Hopefully I'll try it in 2-3 weeks since it's a production environment & I need a full weekend -without staff present  :Smile: - for the whole migration process.

I'll let u know of the results or any problems I might have.

----------

## rwallace

I assumed you were using Gentoo since you posted here.  If you're going to use debian, though, here's another good link.

LDAPv3 (http://www.bayour.com/LDAPv3-HOWTO.html)

It describes, in full, how to setup kerberos, ldap, and some of openafs (further down the page) on a debian system.  

Also, it should be a little easier since alot of these libraries and programs are available as debs.  ie.   openafs-krb5 provides the afs-krb5 migration programs like aklog and asetkey.  They use the same pam_krb5 as gentoo, but maybe you'll have more luck with than I did (the only thing I couldn't get to work was changing passwords, authentication was fine).  Also, since they don't have the pam_krb5 module from sf you won't have pam_krb5afs.  Instead, you can use the libpam-openafs-session package.  I was using it for a while and it works well.  The only problem you might have with this is using a graphical login manager like xdm/gdm/kdm.  It seems there are some cases where on logout, the afs token gets destroyed before all writes to the home directory (for saving settings or whatever) are finished.  This might be gnome-session specific but I'm not sure.  This is what I'm playing with right now.

By the by... I just switched from Debian to Gentoo because of some of the extra flexibility that Gentoo provides.  Let me know how it goes and what problems you run into and what packages, if any, you need to custom compile.  It seems to me that was one reason for the change was because at the time there were some things I needed to custom compile and didn't want the next apt-get update && apt-get upgrade to wipe out, meaning I'd have to do it all again.

Anyways, let me know how it goes and good luck.

----------

## zen_guerrilla

Thanx for the debian link.

Actually at first I tried Gentoo on that lan & then another source-based distro, however it was time-consuming waiting for all these compiles & that's why I switched to slack with which I was quite familiar with plus I could compile all the stuff I wanted & package them in a custom way. The problem is slack doesn't have emerge or apt-get so more time spent updating all these boxes, that's why I ended up with debian. Flexibility & more free time  :Very Happy: 

----------

## bUg-

When compilling krbafs-1.2 found at  http://web.mit.edu/openafs/krbafs, enomerous parse errors occur. I think rwallace had the same problems, and fixed them....here's the output (sorry for the flood):

gcc -c  -DHAVE_CONFIG_H -DLIBDIR='"/usr/lib"' -I. -I. -g -O2  afskrb.c

In file included from afskrb.c:34:

krbafs_locl.h:131: parse error before "des_cblock"

krbafs_locl.h:158: parse error before "CREDENTIALS"

krbafs_locl.h:172: parse error before "CREDENTIALS"

afskrb.c:44: parse error before "CREDENTIALS"

afskrb.c: In function `get_cred':

afskrb.c:46: `KTEXT_ST' undeclared (first use in this function)

afskrb.c:46: (Each undeclared identifier is reported only once

afskrb.c:46: for each function it appears in.)

afskrb.c:46: parse error before "tkt"

afskrb.c:47: `name' undeclared (first use in this function)

afskrb.c:47: `inst' undeclared (first use in this function)

afskrb.c:47: `realm' undeclared (first use in this function)

afskrb.c:47: `c' undeclared (first use in this function)

afskrb.c:50: `tkt' undeclared (first use in this function)

afskrb.c:51: `KSUCCESS' undeclared (first use in this function)

afskrb.c: In function `afslog_uid_int':

afskrb.c:65: `CREDENTIALS' undeclared (first use in this function)

afskrb.c:65: parse error before "c"

afskrb.c:66: `ANAME_SZ' undeclared (first use in this function)

afskrb.c:67: `INST_SZ' undeclared (first use in this function)

afskrb.c:68: `REALM_SZ' undeclared (first use in this function)

afskrb.c:75: `KSUCCESS' undeclared (first use in this function)

afskrb.c:78: `c' undeclared (first use in this function)

afskrb.c: In function `get_realm':

afskrb.c:88: warning: initialization makes pointer from integer without a cast

gcc -c  -DHAVE_CONFIG_H -DLIBDIR='"/usr/lib"' -I. -I. -g -O2  afskrb5.c

In file included from afskrb5.c:34:

krbafs_locl.h:131: parse error before "des_cblock"

krbafs_locl.h:158: parse error before "CREDENTIALS"

krbafs_locl.h:172: parse error before "CREDENTIALS"

gcc -c  -DHAVE_CONFIG_H -DLIBDIR='"/usr/lib"' -I. -I. -g -O2  afssys.c

In file included from afssys.c:34:

krbafs_locl.h:131: parse error before "des_cblock"

krbafs_locl.h:158: parse error before "CREDENTIALS"

krbafs_locl.h:172: parse error before "CREDENTIALS"

gcc -c  -DHAVE_CONFIG_H -DLIBDIR='"/usr/lib"' -I. -I. -g -O2  common.c

In file included from common.c:34:

krbafs_locl.h:131: parse error before "des_cblock"

krbafs_locl.h:158: parse error before "CREDENTIALS"

krbafs_locl.h:172: parse error before "CREDENTIALS"

common.c:60: parse error before "CREDENTIALS"

common.c: In function `kafs_settoken':

common.c:71: `c' undeclared (first use in this function)

common.c:71: (Each undeclared identifier is reported only once

common.c:71: for each function it appears in.)

common.c:73: `uid' undeclared (first use in this function)

common.c:126: `cell' undeclared (first use in this function)

common.c: At top level:

common.c:338: parse error before "CREDENTIALS"

common.c: In function `_kafs_get_cred':

common.c:369: `realm_hint' undeclared (first use in this function)

common.c:370: `data' undeclared (first use in this function)

common.c:370: `cell' undeclared (first use in this function)

common.c:370: `c' undeclared (first use in this function)

common.c:382: `realm' undeclared (first use in this function)

gcc -c  -DHAVE_CONFIG_H -DLIBDIR='"/usr/lib"' -I. -I. -g -O2  lifetime.c

In file included from lifetime.c:14:

krbafs_locl.h:131: parse error before "des_cblock"

krbafs_locl.h:158: parse error before "CREDENTIALS"

krbafs_locl.h:172: parse error before "CREDENTIALS"

lifetime.c:120: conflicting types for `krb_life_to_time'

krbafs_locl.h:143: previous declaration of `krb_life_to_time'

lifetime.c:146: conflicting types for `krb_time_to_life'

krbafs_locl.h:135: previous declaration of `krb_time_to_life'

gcc -c  -DHAVE_CONFIG_H -DLIBDIR='"/usr/lib"' -I. -I. -g -O2  resolve.c

In file included from resolve.h:39,

                 from resolve.c:58:

krbafs_locl.h:131: parse error before "des_cblock"

krbafs_locl.h:158: parse error before "CREDENTIALS"

krbafs_locl.h:172: parse error before "CREDENTIALS"

gcc -c  -DHAVE_CONFIG_H -DLIBDIR='"/usr/lib"' -I. -I. -g -O2  str2key.c

str2key.c:34:22: krb_locl.h: No such file or directory

str2key.c:36: parse error before string constant

str2key.c:36: warning: data definition has no type or storage class

str2key.c:44: parse error before "des_cblock"

str2key.c: In function `afs_string_to_key':

str2key.c:46: `pass' undeclared (first use in this function)

str2key.c:46: (Each undeclared identifier is reported only once

str2key.c:46: for each function it appears in.)

str2key.c:57: `cell' undeclared (first use in this function)

str2key.c:67: warning: assignment makes pointer from integer without a cast

str2key.c:70: `key' undeclared (first use in this function)

str2key.c:77: `des_key_schedule' undeclared (first use in this function)

str2key.c:77: parse error before "sched"

str2key.c:78: `des_cblock' undeclared (first use in this function)

str2key.c:86: warning: assignment makes pointer from integer without a cast

str2key.c:91: `ivec' undeclared (first use in this function)

str2key.c:93: `sched' undeclared (first use in this function)

gcc -c  -DHAVE_CONFIG_H -DLIBDIR='"/usr/lib"' -I. -I. -g -O2  strtok_r.c

In file included from strtok_r.c:41:

krbafs_locl.h:131: parse error before "des_cblock"

krbafs_locl.h:158: parse error before "CREDENTIALS"

krbafs_locl.h:172: parse error before "CREDENTIALS"

strtok_r.c:46: parse error before "__extension__"

strtok_r.c:56: `s1' undeclared here (not in a function)

strtok_r.c:56: warning: data definition has no type or storage class

strtok_r.c:57: parse error before "while"

strtok_r.c:61: `s1' undeclared here (not in a function)

strtok_r.c:61: warning: data definition has no type or storage class

strtok_r.c:62: parse error before "return"

gcc -c  -DHAVE_CONFIG_H -DLIBDIR='"/usr/lib"' -I. -I. -g -O2  strlcpy.c

In file included from strlcpy.c:39:

krbafs_locl.h:131: parse error before "des_cblock"

krbafs_locl.h:158: parse error before "CREDENTIALS"

krbafs_locl.h:172: parse error before "CREDENTIALS"

rm -f libkrbafs.a

ar cr libkrbafs.a afskrb.o afskrb5.o afssys.o common.o lifetime.o resolve.o str2key.o strtok_r.o strlcpy.o

ar: afskrb.o: No such file or directory

make: *** [libkrbafs.a] Error 1

However, i've noticed these files werent being detected while doing ./configure :

checking for POSIXized ISC... no

checking for Kerberos headers... no

checking whether byte ordering is bigendian... no

checking for gcc option to accept ANSI C... none needed

checking for NEXTSTEP... no

checking for AIX... no

checking for strlcpy... no

checking for res_search... no

checking for dn_expand... no

checking for afs_string_to_key... no

checking for krb_time_to_life... no

checking for krb_life_to_time... no

checking for krb_atime_to_life... no

checking for krb_life_to_atime... no

checking for krb524_convert_creds_kdc_ccache... no

checking for krb524_convert_creds_kdc... no

checking for sys/filio.h... no

checking for sys/ioccom.h... no

checking for afs/param.h... no

checking for des.h... no

checking for krb.h... no

checking for krb524.h... no

checking for krb5_realm in krb5.h... no

checking for krb5_const_realm in krb5.h... no

checking for session.keytype in krb5_creds... no

checking for sa_len in struct sockaddr... no

checking if crypt needs a prototype... no

checking if strtok_r needs a prototype... no

Can anyone help me? 

Thanks

Best Regards, 

Peter.

----------

## bUg-

OK! I managed to install rpms on my gentoo system. I installed krbafs, krbafs-devel and pam-krb5 (version  2.0.2-1 ) from rpmfind.net

It seems its ok....I am know ajusting my system-auth to work with all of this. I tried the system-auth you provided here but it didnt work. I am working on it now. If you have a different system-auth please tell me.

----------

## bUg-

I now have pam_openafs-krb5.so , pam_openafs_session.so, pam_krb5.so and pam_krb5afs.so. What are the modules that I should use or not use ?

----------

## rwallace

I would use the pam_krb5afs module.  It's the best one IMO.

----------

## rwallace

For the system-auth file just replace the pam_krb5.so with pam_krb5afs.so and remove all the options from the account line and just put sufficient.

----------

## rwallace

What you need to do to fix the build problems you were having above is specify the CPPCGLAGS configure should use.

```
CPPFLAGS=-I/usr/include/kerberosIV ./configure
```

----------

## rwallace

I was just reminded of another issue that comes up when trying to build krbafs-1.2.

Basically there are a couple of functions that are declared to use unsigned long, but in the C file they actually use typedef's.  So just change the header file to use the typedefs.

Edit krbafs_locl.h lines 143 and 135.  In both cases change the first parameter to the function from 'unsigned long start' to 'u_int32_t start'.  On line 135 you also need to change the second parameter from 'unsigned long end' to 'u_int32_t end'.  On line 143 the return type needs to be changed to u_int32_t.

So you should wind up with the following:

```
int krb_time_to_life(u_int32_t start, u_int32_t end); // line 135

...

u_int32_t krb_life_to_time(u_int32_t start, int life); // line 143
```

----------

## rbr28

I'm working through getting kerberos authentication working and haven't had too much trouble so far.  I'm just adding this here to help other users, since this is one of the few kerberos threads in the forum.

I emerged mit-krb5 using the ACCEPT_KEYWORDS="~x86" option

This installed ver. 1.3.1 or something like that instead of 1.2.7 which wouldn't compile for me (it had on previous installs).

I couldn't compile the portage pam_krb5 ebuild so I downloaded the source from the same place as mentioned in previous messages here.

That compiled without an problems.

I edited krb5.conf and used kinit to test getting a token.  Worked fine.

I edited system-auth to use the pam_krb5 library

auth        required      /lib/security/pam_env.so

auth        sufficient    /lib/security/pam_unix.so likeauth nullok

auth        sufficient    /lib/security/pam_krb5.so use_first_pass forwardable   ----this is wrapped

auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3

password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow   ---this is wrapped

password    sufficient    /lib/security/pam_krb5.so use_authtok

password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so

session     required      /lib/security/pam_unix.so

session     optional      /lib/security/pam_krb5.so

I tested logging in using GDM, and my kerberos ID.  Worked with no errors.  I'm not familiar with the afs library and would be interested in knowing why it was suggested that the afs library be used.  I tried compiling that and had some problems.  I didn't bother yet to look into the problems, since it didn't seem necessary for my purposes.  

I'm working on using Kerberos and Winbind to authenticate our users to our Windows domain.  I'll keep you updated on how the next steps go.

----------

## ck84

Hi, i just emerges all pakets on my gentoo for authenticating with ldap and kerberos. ldapsearch works well!!!!

here are my config files

```

/etc/krb5.conf

[libdefaults]

        ticket_lifetime = 24000

        default_realm = CORP.DE

        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc

        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]

        CORP.DE = {

        kdc = kerberos.corp.de:88

#       kdc = kerberos2.example.com:88

        admin_server = kerberos.corp.de:749

        default_domain = CORP.DE

        }

[domain_realm]

        .corp.de = CORP.DE

        corp.de = CORP.DE

[kdc]

        profile = /etc/krb5kdc/kdc.conf

[logging]

        kdc = FILE:/var/log/krb5kdc.log

        admin_server = FILE:/var/log/kadmin.log

        default = FILE:/var/log/krb5lib.log

[appdefaults]

# Settings for Red Hat

    pam = {

       krb4_convert = false

    }

# Settings for Solaris

    kinit = {

       forwardable = true

       renewable = true

    }

```

```

/etc/krb5kdc/kdc.conf

[kdcdefaults]

    acl_file = /etc/krb5kdc/kadm5.acl

    dict_file = /usr/share/dict/words

    admin_keytab = /etc/krb5kdc/kadm5.keytab

[realms]

    CORP.DE = {

        database_name = /etc/krb5kdc/principal

        admin_keytab = /etc/krb5kdc/kadm5.keytab

        acl_file = /etc/krb5kdc/kadm5.acl

        dict_file = /etc/krb5kdc/kadm5.dict

        key_stash_file = /etc/krb5kdc/.k5.CORP.DE

        master_key_type = des3-hmac-sha1

        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal

        kadmind_port = 749

        max_life = 10h 0m 0s

        max_renewable_life = 7d 0h 0m 0s

    }

```

i also created an principal called user23, when i do 'kinit user23' i get this error: kinit(v5): Client not found in Kerberos database while getting initial credentials

but when i do 'kinit user23/admin@CORP.DE' it works fine, i get a ticket and all stuff. how can i fix it that it works with kinit user23??

and here goes my 2nd prob, i cant login with a krb5 principal into my sshd, here are my config files:

```

/etc/pam.d/system-auth

#%PAM-1.0

auth        required      /lib/security/pam_env.so

auth        sufficient    /lib/security/pam_unix.so likeauth nullok

auth        sufficient    /lib/security/pam_krb5.so use_first_pass

auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

account     required      /lib/security/pam_access.so

account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_krb5.so

account     required      /lib/security/pam_access.so

password    required      /lib/security/pam_cracklib.so retry=3 type=

password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow

password    sufficient    /lib/security/pam_krb5.so use_authtok

password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so

session     required      /lib/security/pam_unix.so

session     optional      /lib/security/pam_krb5.so

```

and here my 

```

/etc/nsswitch.conf

passwd:      compat files ldap

shadow:      compat files ldap

group:       compat files ldap

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files nis

bootparams:  files

automount:   files

aliases:     files

```

plz help me, thx

----------

