Hello,
We're trying to setup a RedHat 7.1 system to authenticate to Active
Directory. We have it authenticating alright but we're running into a
problem with some characters (two semicolons) that are being displayed after
the user has authenticated. While this is only a visual issue in telnet,
it's breaking pop3 and imap.
Here's a sample of telnetting to the pop3 port:
[root@tuna /etc]# telnet tuna pop3
Trying 147.222.3.17...
Connected to tuna.gonzaga.edu (147.222.3.17).
Escape character is '^]'.
+OK POP3 tuna.gonzaga.edu v2000.69rh server ready
user testacct
+OK User name accepted, password please
pass xyzzy
;;+OK Mailbox open, 19 messages
quit
+OK Sayonara
Connection closed by foreign host.
------------
The two semicolons before the "+OK Mailbox open, 19 messages" are causing
the POP clients to fail. The same thing is happening in IMAP, ftp, telnet,
and after a successful login.
If we disable pam_krb5, we don't get these characters. We also don't get
these characters on our HP-UX system which is also authenticating to Active
Directory. The problem occurs if the shadow password and the Active
Directory password are the same, if they are different, or if the user has
no shadow password at all.
Here's our current krb5.conf file:
[libdefaults]
default_realm = GUNET.GONZAGA.EDU
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
[realms]
GUNET.GONZAGA.EDU = {
kdc = dc1-gunet.gunet.gonzaga.edu:88
kpasswd_server = dc1-gunet.gunet.gonzaga.edu:464
}
-------------
Here's our current system-auth file:
#auth required /lib/security/pam_env.so
#auth optional /lib/security/pam_unix.so likeauth nullok md5
shadow
#auth required /lib/security/pam_krb5.so
auth optional /lib/security/pam_unix.so nullok md5 shadow
auth sufficient /lib/security/pam_krb5.so
#auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadow
password sufficient /lib/security/pam_krb5.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
#session optional /lib/security/pam_krb5.so
---------
If there are any hints that you can provide, that would be great. I'm pretty
new to PAM, Kerberos, and Active Directory so this is all pretty strange to
me.
Thanks,
Greg
Greg Francis
Unix System Administrator
Central Computing, Gonzaga University
francis@its.gonzaga.edu, 509-323-6896
