[FreeNX-kNX] Kerberos & FreeNX

Henrik Schmiediche henrik at stat.tamu.edu
Fri May 25 17:34:38 UTC 2007


 

Thanks. Changing  /etc/pam.d/common-account from

 

  account    requisite    pam_unix2.so

  account    required     pam_krb5.so     use_first_pass



to

 

  account    required     pam_unix2.so

 

worked for me. Clearly Pam expect the 'nx' account to exist on the domain.
The above fixes this, though the above solution may not be what some people
want to do. A more elegant solution might be:

 

  account    requisite    pam_unix2.so 

  account    sufficient   pam_succeed_if.so uid < 500 quiet

  account    required     pam_krb5.so     use_first_pass

 

Sincerely,

 

-          henrik

 

From: Terje Andersen [mailto:terander at guard.zapto.org] 
Sent: Friday, May 25, 2007 11:28 AM
To: freenx-knx at kde.org
Subject: [30] Re: [FreeNX-kNX] Kerberos & FreeNX

 

----- Melding fra henrik at stat.tamu.edu ---------
    Dato: Thu, 24 May 2007 11:06:37 -0500
     Fra: Henrik Schmiediche <henrik at stat.tamu.edu>
Svar-til: User Support for FreeNX Server and kNX Client <freenx-knx at kde.org>
    Emne: [FreeNX-kNX] Kerberos & FreeNX
     Til: 'User Support for FreeNX Server and kNX Client'
<freenx-knx at kde.org>


>        Hello,
>
> I am running FreeNX-0.5.0-25 & NX-1.5.0-73 on Suse 10.2. NX work fine out
of
> the box with local or NIS account. When I enable Kerberos to do user
> authentication (against a Windows domain) NX stops to function. The
command:
>

Try to search this list for the topic "NX and PAM" from April 2007 - think
you might get some help from that.

>
>
> results in an immediate closed connection. If I disable Kerberos
> authentication then the above command works as it should and NX client
> logins work. Note that I can ssh into the system and authenticate just
fine
> when using ssh with Kerberos. The problem only appears when using NX.
>

NX logs in a user 'nx' via a ssh connection using ssh keys (NoMachine or
private generated) and when this is successfully established, the _actual_
authentication of the users executes/starts. 
IMHO you need to first allow the ssh-connection for the user 'nx', then use
Kerberos to authenticate the users from the AD-Domain. All this you control
via PAM.


    /Terje

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20070525/ec6b5b0f/attachment.html>


More information about the FreeNX-kNX mailing list