On 6/09/23 12:09, Mark Davies wrote:
The problem with that one is that su doesn't actually die, the pam_ksu just errors in some way so that pam abandons it and moves on to other authentication types, and I can't ktrace it as su is a suid program so I'll probably have to stuff some more debugging into pam_ksu.c to try and narrow it down.
OK, so revision 1.10 of pam_ksu.c adds a call to krb5_set_home_dir_access(NULL, FALSE); which causes the subsequent call to krb5_kuserok() to return false when previously it would return true causing the whole pam_ksu to bail.
krb5_kuserok() is presuambly now returning false because if it can't access the homedir it can't read /root/.k5login to see that mark/[email protected] is allowed.
cheers mark
