I'm not seeing that here - what's your /etc/krb5.conf look like? Regards, Phil +----------------------------------+ | Phil Mayers, Network Support | | Centre for Computing Services | | Imperial College | +----------------------------------+ -----Original Message----- From: Greg Francis [mailto:francis@raptor.gonzaga.edu] Sent: 26 April 2001 04:37 To: pam-list@redhat.com Subject: Problem with pam_krb5 and semicolons Hello, We're trying to setup a RedHat 7.1 system to authenticate to Active Directory. We have it authenticating alright but we're running into a problem with some characters (two semicolons) that are being displayed after the user has authenticated. While this is only a visual issue in telnet, it's breaking pop3 and imap. Here's a sample of telnetting to the pop3 port: [root@tuna /etc]# telnet tuna pop3 Trying 147.222.3.17... Connected to tuna.gonzaga.edu (147.222.3.17). Escape character is '^]'. +OK POP3 tuna.gonzaga.edu v2000.69rh server ready user testacct +OK User name accepted, password please pass xyzzy ;;+OK Mailbox open, 19 messages quit +OK Sayonara Connection closed by foreign host. ------------ The two semicolons before the "+OK Mailbox open, 19 messages" are causing the POP clients to fail. The same thing is happening in IMAP, ftp, telnet, and after a successful login. If we disable pam_krb5, we don't get these characters. We also don't get these characters on our HP-UX system which is also authenticating to Active Directory. The problem occurs if the shadow password and the Active Directory password are the same, if they are different, or if the user has no shadow password at all. Here's our current krb5.conf file: [libdefaults] default_realm = GUNET.GONZAGA.EDU dns_lookup_realm = true dns_lookup_kdc = true default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc [realms] GUNET.GONZAGA.EDU = { kdc = dc1-gunet.gunet.gonzaga.edu:88 kpasswd_server = dc1-gunet.gunet.gonzaga.edu:464 } ------------- Here's our current system-auth file: #auth required /lib/security/pam_env.so #auth optional /lib/security/pam_unix.so likeauth nullok md5 shadow #auth required /lib/security/pam_krb5.so auth optional /lib/security/pam_unix.so nullok md5 shadow auth sufficient /lib/security/pam_krb5.so #auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_krb5.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so #session optional /lib/security/pam_krb5.so --------- If there are any hints that you can provide, that would be great. I'm pretty new to PAM, Kerberos, and Active Directory so this is all pretty strange to me. Thanks, Greg Greg Francis Unix System Administrator Central Computing, Gonzaga University francis@its.gonzaga.edu, 509-323-6896 _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
