On Wed, Nov 11, 2009 at 04:46, Braden McDaniel <bra...@endoframe.com> wrote: > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_krb5.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nis nullok > try_first_pass use_authtok > password sufficient pam_krb5.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_krb5.so >
For starters, here's my '/etc/pam.d/system_auth': auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so minimum_uid=9999 debug auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account sufficient pam_krb5.so minimum_uid=9999 debug account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so minimum_uid=9999 debug password required pam_deny.so #session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_krb5.so minimum_uid=9999 debug session required pam_unix.so There are some differences between our setups. The biggest difference appears to be that I'm using 'pam_krb5' in combination with 'nss_ldap', because my user/group accounts are stored in LDAP (on an MS Active Directory DC). All accounts are either purely local (only exist in /etc/passwd, group, and shadow), or purely AD (only exist in Kerberos and LDAP)--there are no overlapping cases, where an account has a local /etc/passwd entry and a Kerberos principal, as well. So I don't think this will be very useful to you, after all. Sorry about that. But I do want to suggest a couple of things that might help: - Authenticating SSH logins via Kerberos tokens requires some changes to ssh_config, and possibly sshd_config, as well. If you haven't modified either the client or server for GSS/Kerberos operations, and you're not using any special command-line options, that may be part of your problem. - Can you post a copy of your /etc/krb5.conf file up here, as well? In my experience, it's awfully hard to distinguish between errors in the krb5.conf and pam.d/system_auth. - I wanted to echo Javier's suggestion about using the 'debug' parameter to 'pam_krb5'. You can activate it via the 'system_auth' lines, or via your 'krb5.conf'. I could not have gotten my setup to work without the debug messages. -Ryan ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos