On Mon, 2005-11-21 at 16:03 -0800, Daniel B. Thurman wrote: > -----Original Message----- > From: Bohmer, Andre ten [mailto:fedora-list- > bounces@xxxxxxxxxx]On Behalf Of Bohmer, Andre ten > Sent: Monday, November 21, 2005 1:43 PM > To: For users of Fedora Core releases > Subject: RE: Granting su rights to users? Using PAM and > Kerberos... > > > Hi, > > Maybe you have to enable local authorization sufficient in > order to use su? We're using kerberos v5 to authenticate Linux > accounts against Active Directory, and had a similar problem > on Red Hat EL AS 4. > Sorry for the very bad quoting, using OWA ... > > Cheers, > Andre > > Hmm... What do you mean by 'local authorization sufficient' ? > > What I noticed was in /var/log/krb5kdc.log is that it was reporting a > lot > of root@REALM principal was missing in the database so I added the > root principal and that appeared to make the log a bit more quieter > but > the su root problem still remains. > > I am guessing that somewhere I will need to allow user root access > with > kerberos as the googles mentioned it for kerberos IV (kdb_edit) but > does > not say anything about kerberos 5 so I am assuming that kdb_edit is > depreciated and something else takes it's place? > > Another person who responded asked me to check /etc/pam.d/su but > I cannot tell what I am supposed to look at. I will need to check to > see > if kerberos entries needs to be in there since I was some instructions > from http://www.ofb.net/~jheiss/krbldap/howto.html mentions to add > kerberos support to /etc/pam/system-auth but > nothing about /etc/pam.d/su ... > > Any pointers, links, howtos, or whatever is appreciated! ---- perhaps you are way beyond this but did you run system-config- authorization and enable kerberos authorization? su does it's own pam stuff as well. also, are you pretty together with saslauthd? /etc/saslauthd.conf ? /etc/sysconfig/saslauthd ? Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
