For RHEL 7, where do I find the the rpm "krb5-auth-dialog"

Latest response

Hello,

I'm having some difficulties finding the above mentioned rpm in any RHEL 7 channel/repository.

According to the chapter 6.3 of the System Level Authentication Guide, it's a matter of a yum install.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/System-Level_Authentication_Guide/Red_Hat_Enterprise_Linux-7-System-Level_Authentication_Guide-en-US.pdf

But what repository do I need to enable to have it available on the node?

Thanks in advance,

Responses

Hi Jan,

Good catch! The krb5-auth-dialog package isn't available for RHEL 7. It still is in RHEL 6, but it's deprecated in RHEL 7; AFAIK, mainly because Gnome Online Accounts can manage kerberos tickets in the GUI even better.

I'll notify the maintainers of the guide.

Radek

Hello Jan,

Good catch indeed, thanks for bringing this to our attention. As one of the maintainers of the System-Level Authentication Guide, I removed krb5-auth-dialog from section 6.3 and from a few other sections as well. (The updated version of the guide should be available with the next release.)

Hello, so which tool actually replaces krb5-auth-dialog in RH-7? I have read the manual and did not find the answer...

Hi Ondrej, the Gnome Online Accounts tool provides a similar functionality, and is mentioned as a replacement for krb5-auth-dialog in the Migration Planning Guide. It's even better than krb5-auth-dialog, which only informed you when your ticket was about to expire. GOA, on the other hand, renews the ticket for you automatically (if you allow it to remember the password; meaning, store it in Seahorse).

I couldn't quickly find Red Hat docs covering GOA usage and Kerberos setup, but this blog post by Matthias Clasen nicely describes the steps needed. (Scroll down to The last thing I have managed to capture in screenshots is the support for secondary Kerberos logins that has been integrated in gnome-online-accounts.)

Hi Radek, I have tried GOA yesterday (it seems to be enabled by default for me, which is good). It sees my credentials fine. The disadvantage is that if I run 'kdestroy' in terminal, I would expect GOA to pop up a dialogue window (i.e. much like krb5-auth-dialoge) prompting me to enter my password. This is not happening. I would also expect the default Gnome-3 screensaver to refresh my Kerberos ticket which is also not happening. Obviously it's not quite fit for production yet :-(. Ondrej

Yeah, there are cases where GUI tools don't see changes made in the CLI, unfortunately. :( An example is when you're logged in to Gnome and add yourself to the wheel group in the CLI (usermod), thinking you'll be able to use sudo immediately, but your GUI session doesn't pick this change automatically.

For Kerberos handling, I suggest you use GOA again to destroy the currently valid ticket; basically, use either the CLI (kinit/klist/kdestroy) or the GUI (GOA) consistently. That's what I've been doing since RHEL 7.0, and I've always been a happy user of both the GUI on my workstation and the CLI on a remote server.

Anyway, please file bugs if you notice that GOA has room for improvement in your environment.