[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1051841: debian-edu-testsuite reports errors

[Guido Berhoerster]
>> error: ./ldap-client: Not only one PAM module of krb5, ldap and sss is enabled
>
> /etc/pam.d/common-auth contains:
>
>     …
>     auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
>     auth    [success=2 default=ignore]      pam_unix.so nullok try_first_pass
>     auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 use_first_pass
>     …
>
> So PAM tries them in the given order until one succeeds, I'm not sure
> what is wrong with that. The git history of testsuite/ldap-client is
> not helpful either why this was added.

The pam_ldap.so line should be removed.  The LDAP authentication send
the password over to the LDAP server for verification, hopefully via an
TLS channel, allowing a rouge server to collect user passwords, while
Kerberos only send an encrypted timestamp to the server.  Because of
this Debian Edu do not want LDAP authentication enabled, and uses
Kerberos exclusively over the network.

>> error: ./rdp-server: xrdp service is not listening on 3389/tcp.'
>
> This can be probably be ignored as I have set up FAI on top of my LTSP 
> setup.

I do not understand what you mean here.  How is this relevant?

-- 
Happy hacking
Petter Reinholdtsen
Reply to: