On 24 March 2014 11:31, Wendy Lin <wendlin1...@gmail.com> wrote: > I am trying to allow user root (uid=0) to be authenticated via > Kerberos5 at login time, too, but if I do I get a "User not known to > the underlying authentication module" error and login is refused. > > OS is Suse 13.1 > > pam config is: > grep -r krb5 /etc/pam.d/ > /etc/pam.d/common-password-pc:password sufficient pam_krb5.so > /etc/pam.d/common-account-pc:account required pam_krb5.so > use_first_pass > /etc/pam.d/common-auth-pc:auth sufficient pam_krb5.so use_first_pass > /etc/pam.d/common-session-pc:session optional pam_krb5.so > > What am I doing wrong?
I found a solution for my problems, including that root didn't get krb5 tickets. I swapped pam_krb5 and pam_unix in common-auth, resulting in: ------------------------------ cat /etc/pam.d/common-auth auth required pam_env.so auth optional pam_gnome_keyring.so auth sufficient pam_krb5.so try_first_pass auth sufficient pam_unix.so use_first_pass auth required pam_deny.so diff -u /etc/pam.d/common-auth.old /etc/pam.d/common-auth auth required pam_env.so auth optional pam_gnome_keyring.so -auth sufficient pam_unix.so try_first_pass -auth sufficient pam_krb5.so use_first_pass +auth sufficient pam_krb5.so try_first_pass +auth sufficient pam_unix.so use_first_pass auth required pam_deny.so ------------------------------ Of course, I do not know why this suddenly works. Can someone explain this? Why didn't it work when pam_unix came first? Wendy ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos