I just installed Red Hat 7.2, pam_krb5-1.46-1 (rpm), and pam-0.75-14 (rpm). I have been using pam_krb5 for quite some time now and have had no problems. However, with RH7.2, things aren't going so well. I turned on the debugging and this is what I get... (the test user account is ccweis) <snip> Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: get_config() called Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: Creating a ticket with addresses Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: password-changing banner set to `Kerberos 5' Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: ccache directory set to `/tmp' Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: making tickets forwardable Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: setting initial timeout to 1 Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: keytab file name set to `/etc/krb5.keytab' Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: krb4_convert false Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: setting maximum timeout to 30 Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: will only attempt to authenticate users when UID >= 0 Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: making tickets non-proxiable Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: setting renewable lifetime to 24000 Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: required_tgs set to `host/d-ece185.eng.uiowa.edu' Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: setting ticket lifetime to 24000 Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: setting timeout shift to 2 Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: use_authtok false Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: user_check true Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: validate false Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: warn_period 604800 Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: pam_sm_authenticate() called (prc = Success) Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: default Kerberos realm is `icaen.uiowa.edu' Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: pam_get_user returned `ccweis' Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: user is `ccweis' Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: `ccweis' has uid 500, gid 500 Oct 25 09:43:04 d-ece185 login[2921]: pam_krb5: attempting to authenticate `ccweis' Oct 25 09:43:05 d-ece185 login[2921]: pam_krb5: get_int_tkt returned Success Oct 25 09:43:05 d-ece185 login[2921]: pam_krb5: authentication succeeds for `ccweis' Oct 25 09:43:05 d-ece185 login[2921]: pam_krb5: credentials saved for `ccweis' Oct 25 09:43:05 d-ece185 login[2921]: pam_krb5: saved return code (0) for later use Oct 25 09:43:05 d-ece185 login[2921]: pam_krb5: pam_sm_authenticate returning 0 (Success) Oct 25 09:43:05 d-ece185 login[2921]: Authentication service cannot retrieve authentication info. </snip> So, in the last couple of lines, it would appear that "pam_sm_authenticate returning 0 (Success)" means that I successfully authenticated ( as is what the kerberos server says ). However, the last line is what I get at the login screen and the login attempt fails. When running kinit, the kerberos (actually dce) server accepts my password and offers me a ticket. So, it would appear that there is something else in the pam module(s) that is trying to do some checking after the fact. Anyway, I'm at a loss and I don't have time to go dinking through the source again, so if any of you have any ideas, let me know. Thanks, I appreciate all the help. ~Chris
