On Mon, Aug 21, 2017 at 02:53:39PM -0400, Louis Garcia wrote:
On Mon, Aug 21, 2017 at 3:22 AM, Lukas Slebodnik
> On (19/08/17 14:45), Louis Garcia wrote:
> >On Sat, Aug 19, 2017 at 5:01 AM, Lukas Slebodnik <lslebodn(a)redhat.com>
> >> On (19/08/17 10:57), Lukas Slebodnik wrote:
> >> >I think it would be better to start from scratch:
> >You did tell me that I was not hitting that RH bug. Sorry.
> >> >
> >> >Please answer to following question:
> >> >Is your local password the same as kerberos password?
> And this is the main problem why it does not work for you.
> Because pam_unix will be used as the first one.
> And I would not recommend to change order of modules pam stack manually.
> Your local account should have different password or should not have
> at all. Otherwise such setup will not work for you.
Hey we are finally getting somewhere.
If I delete my local account I can't login at all. I added my local account
back but with no password and I was able to login and get my kerberos
So with this setup I still need a local account an every box I use, with no
password or different then the kerberos one?
I thought I could centrally
manage my user accounts and passwords with kerberos?
Well, kerberos doesn't provide an OS-level identity. So even with
Kerberos, you still need some entity that defines the username, the UID,
GID, shell etc. Here it's a line in /etc/passwd, with IPA it would be an
entry with LDAP. Then you need a way to map the Kerberos principals to
these identities, often as easy as saying "OS-level username + REALM
name = Kerberos principal".
Do I need something like freeipa? Might be a bit out bounds for this list.
Thank you for your help.
It really depends on your use-case. I think the user in files + Kerberos
authentication is fine for a single workstation, but for multiple
machines, I would go with the FreeIPA/AD/whatever route.