Gentoo + AD + pam_mount + ssh = single password?
February 16, 2008 10:54 AM Subscribe
Can I get a gentoo machine to authenticate/mount home directories from a windows 2003 server with a single password?
In the computer lab I help administrate, we have a headless linux project box, running gentoo, that uses Pluggable Authentication Modules (PAM) to authenticate against the lab's 2003 Active Directory server. We have PAM set up so that it authenticates properly, and can even mount the user's directory on the server on their home directory(using pam_mount).
The problem: when logging in via ssh, it currently requires two passwords (one for ssh login, one for home directory mounting). This is not a problem on the linux workstation in the lab (using gdm and roughly the same pam configs for logins).
So my question: how do I configure this project box to use only one password for login/directory mounting?
In the computer lab I help administrate, we have a headless linux project box, running gentoo, that uses Pluggable Authentication Modules (PAM) to authenticate against the lab's 2003 Active Directory server. We have PAM set up so that it authenticates properly, and can even mount the user's directory on the server on their home directory(using pam_mount).
The problem: when logging in via ssh, it currently requires two passwords (one for ssh login, one for home directory mounting). This is not a problem on the linux workstation in the lab (using gdm and roughly the same pam configs for logins).
So my question: how do I configure this project box to use only one password for login/directory mounting?
As a quick workaround, could you perhaps configure ssh to use public key authentication instead of passwords.
posted by flabdablet at 3:58 PM on February 16, 2008
posted by flabdablet at 3:58 PM on February 16, 2008
is pam_mount in the auth/account stack for ssh?
If your ssh client (the system you're coming in from) can be Kerberized, you should be able to acquire credentials from the AD server there, and forward (using GSSAPIAuthentication=yes and GSSAPIDelegateCredentials) them to the gentoo box to be used for login and mount authentication.
Note that this is slightly speculative -- my experience is with Kerberos on Solaris primarily, though I am fiddling with AD/Samba4
posted by 5MeoCMP at 8:03 PM on February 16, 2008
If your ssh client (the system you're coming in from) can be Kerberized, you should be able to acquire credentials from the AD server there, and forward (using GSSAPIAuthentication=yes and GSSAPIDelegateCredentials) them to the gentoo box to be used for login and mount authentication.
Note that this is slightly speculative -- my experience is with Kerberos on Solaris primarily, though I am fiddling with AD/Samba4
posted by 5MeoCMP at 8:03 PM on February 16, 2008
This thread is closed to new comments.
posted by purephase at 3:06 PM on February 16, 2008