On Thu, Oct 20, 2011 at 01:07:45PM -0600, [log in to unmask] wrote:
>    Hi,
> 
>    How can I get Kerberos tickets at login?
> 
>    When I login to my workstation, the account is authenticated against AD.
> 

Peter,

How is the account authenicated against AD? We're doing this here but accessing
AD as an LDAP server.

>    But with klist, no ticket is displayed, so to get a Kerberos ticket, an
>    additional call to kinit is required.
> 

It sounds like your /etc/krb5.conf file is correct as you are able to get
Kerberos tickets.

>    Which configuration options can be used on SL 5.5, to get Kerberos tickets
>    immediately after login?
> 

In System -> Administration -> Authentication, there is a checkbox to enable
Kerberos support for Authentication as well as Configure your Kerberos settings.

It's been quite a while since we set this up and I can't remember if this was
sufficient or additional manual configuration was required. The important part
of Kerberos getting tickets automatically is in /etc/pam.d/system-auth. Here
we have the following line in the auth section:

	auth        sufficient    pam_krb5.so use_first_pass

(There are similar lines in other sections.)

This works for us here, and has worked with a different (ie non-AD) LDAP
server. The only caveat to this, is that for this to work properly, passwords
must be synchronized between LDAP and AD.

If you have any other questions on this, please feel free to ask.

I hope this helps.




Steven Leikeim

-- 

Steven Leikeim, GSEC-Gold        | We, the willing
Schulich School of Engineering   | led by the unknowing
Information Technologies         | are doing the impossible
                                 | for the ungrateful.
University of Calgary            | We have done so much
Calgary, Alberta                 | for so long with so little
                                 | we are now qualified
Phone: (403) 220-5373            | to do anything with nothing.