Thanks for your response Andrew. I'm not sure actually! How should I go about checking this? As mentioned, the first pam config file below does succeed, so I think auth is the right thing to be using. John -----Original Message----- From: Andrew Morgan Are you sure that it is the 'auth' sequence that is causing the failure or the 'setcred' sequence? Cheers Andrew Cole, John wrote: > I'm trying to implement login authentication via multiple KRB5 realms for an > application. Currently using RedHat 7.2 with pam-0.75-19.rpm [Let me know > what other version info might be needed!] > > I'm observing some very strange behavior when using the same module more > than once. Although the module seems to succeed (per debug messages), PAM > seems to return failure to the applications. > > The following PAM file is used with success (which verifies I'm talking to > the krb server a-ok) > #%PAM-1.0 > auth required /lib/security/pam_env.so debug > auth sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM > auth required /lib/security/pam_deny.so debug > > What I'd like to do is something like: > #%PAM-1.0 > auth required /lib/security/pam_env.so debug > auth sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM > auth sufficient /lib/security/pam_krb5.so debug realm=B.COMPANY.COM > auth required /lib/security/pam_deny.so debug > > but it fails every time. > > I've tried two different things, in an effort to debug WHY this happens. My > first thought is that it'd be bad to authenticate again after getting a > success. So I changed things to: > > #%PAM-1.0 > auth required /lib/security/pam_env.so debug > auth [success=2 default=ok] /lib/security/pam_krb5.so debug > realm=A.COMPANY.COM > auth [success=1 default=ok] /lib/security/pam_krb5.so debug > realm=B.COMPANY.COM > auth required /lib/security/pam_deny.so debug > > but that doesn't seem to work as the documentation I've seen indicates; i.e. > that we'd skip over B realm if A realm passed. I think my ultimate solution > should be something like this, but I'm not sure where I went wrong. > > So, in an effort to divide and conquer my problem, I changed to a case that > I expected to succeed. Making two requests to the realm that can > authenticate the user. Debug results from the krb module reports success > both times, but PAM still returns failure!!! > #%PAM-1.0 > auth required /lib/security/pam_env.so debug > auth sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM > auth sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM > auth required /lib/security/pam_deny.so debug > > I'm not sure if I've stumbled across 1-2 bugs, or if I'm way off base. Any > help would be appreciated! > > John