I think I'd suggest (downloading Linux-PAM-0.76, and/or) compiling this module: http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam/Linux-PAM/modules/pam_warn/pam_warn.c?rev=1.2&content-type=text/vnd.viewcvs-markup And placing it in the pam stack as optional before, between and after each line in your auth stack. This should give you some idea of which modules are being invoked and which aren't. What I'm wondering is whether the pam_krb5.so module can be invoked twice in the same stack without confusing itself (it might be trampling on its own pam_[gs]et_data() items for example...?). Hope that helps Andrew Cole, John wrote: > Thanks for your response Andrew. > > I'm not sure actually! How should I go about checking this? As mentioned, > the first pam config file below does succeed, so I think auth is the right > thing to be using. > > John > > -----Original Message----- > From: Andrew Morgan > > Are you sure that it is the 'auth' sequence that is causing the failure > or the 'setcred' sequence? > > Cheers > > Andrew > > Cole, John wrote: > >>I'm trying to implement login authentication via multiple KRB5 realms for > > an > >>application. Currently using RedHat 7.2 with pam-0.75-19.rpm [Let me > > know > >>what other version info might be needed!] >> >>I'm observing some very strange behavior when using the same module more >>than once. Although the module seems to succeed (per debug messages), > > PAM > >>seems to return failure to the applications. >> >>The following PAM file is used with success (which verifies I'm talking to >>the krb server a-ok) >>#%PAM-1.0 >>auth required /lib/security/pam_env.so debug >>auth sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM >>auth required /lib/security/pam_deny.so debug >> >>What I'd like to do is something like: >>#%PAM-1.0 >>auth required /lib/security/pam_env.so debug >>auth sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM >>auth sufficient /lib/security/pam_krb5.so debug realm=B.COMPANY.COM >>auth required /lib/security/pam_deny.so debug >> >>but it fails every time. >> >>I've tried two different things, in an effort to debug WHY this happens. > > My > >>first thought is that it'd be bad to authenticate again after getting a >>success. So I changed things to: >> >>#%PAM-1.0 >>auth required /lib/security/pam_env.so debug >>auth [success=2 default=ok] /lib/security/pam_krb5.so debug >>realm=A.COMPANY.COM >>auth [success=1 default=ok] /lib/security/pam_krb5.so debug >>realm=B.COMPANY.COM >>auth required /lib/security/pam_deny.so debug >> >>but that doesn't seem to work as the documentation I've seen indicates; > > i.e. > >>that we'd skip over B realm if A realm passed. I think my ultimate > > solution > >>should be something like this, but I'm not sure where I went wrong. >> >>So, in an effort to divide and conquer my problem, I changed to a case > > that > >>I expected to succeed. Making two requests to the realm that can >>authenticate the user. Debug results from the krb module reports success >>both times, but PAM still returns failure!!! >>#%PAM-1.0 >>auth required /lib/security/pam_env.so debug >>auth sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM >>auth sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM >>auth required /lib/security/pam_deny.so debug >> >>I'm not sure if I've stumbled across 1-2 bugs, or if I'm way off base. > > Any > >>help would be appreciated! >> >>John > > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list > >