>-----Original Message----- >From: fedora-list-bounces@xxxxxxxxxx >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Craig White >Sent: Monday, November 21, 2005 4:21 PM >To: fedora-list@xxxxxxxxxx >Subject: RE: Granting su rights to users? Using PAM and Kerberos... > > >On Mon, 2005-11-21 at 16:03 -0800, Daniel B. Thurman wrote: >> -----Original Message----- >> From: Bohmer, Andre ten [mailto:fedora-list- >> bounces@xxxxxxxxxx]On Behalf Of Bohmer, Andre ten >> Sent: Monday, November 21, 2005 1:43 PM >> To: For users of Fedora Core releases >> Subject: RE: Granting su rights to users? Using PAM and >> Kerberos... >> >> >> Hi, >> >> Maybe you have to enable local authorization sufficient in >> order to use su? We're using kerberos v5 to >authenticate Linux >> accounts against Active Directory, and had a similar problem >> on Red Hat EL AS 4. >> Sorry for the very bad quoting, using OWA ... >> >> Cheers, >> Andre >> >> Hmm... What do you mean by 'local authorization sufficient' ? >> >> What I noticed was in /var/log/krb5kdc.log is that it was reporting a >> lot >> of root@REALM principal was missing in the database so I added the >> root principal and that appeared to make the log a bit more quieter >> but >> the su root problem still remains. >> >> I am guessing that somewhere I will need to allow user root access >> with >> kerberos as the googles mentioned it for kerberos IV (kdb_edit) but >> does >> not say anything about kerberos 5 so I am assuming that kdb_edit is >> depreciated and something else takes it's place? >> >> Another person who responded asked me to check /etc/pam.d/su but >> I cannot tell what I am supposed to look at. I will need to check to >> see >> if kerberos entries needs to be in there since I was some >instructions >> from http://www.ofb.net/~jheiss/krbldap/howto.html mentions to add >> kerberos support to /etc/pam/system-auth but >> nothing about /etc/pam.d/su ... >> >> Any pointers, links, howtos, or whatever is appreciated! >---- >perhaps you are way beyond this but did you run system-config- >authorization and enable kerberos authorization? > >su does it's own pam stuff as well. I think this is the area I am trying to figure out. Someone told me that you have to do *something* to give users the right to su as root when I did FC1. Dang... I forgot what it was.... > >also, are you pretty together with saslauthd? No, not really. I got kerberos and ldap running and so far seems to do SSL/TLS and SASL/GSSAPI or so it seems but what saslauthd have to do with this? Beats me! :-) > >/etc/saslauthd.conf ? No. The above file does not exist in my FC4 system. I found only one file in the entire filesystems as: /usr/share/logwatch/default.conf/services/saslauthd.conf >/etc/sysconfig/saslauthd ? No. I am not running saslauthd at this time. Odd thing to me is that I am able to execute sasl with ldap - got that working so I am not sure about saslauthd. Guess I will have to read up on this one... > >Craig > > -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.4/176 - Release Date: 11/20/2005
