On Thu, Oct 25, 2001 at 09:53:58AM -0500, ccweis@engineering.uiowa.edu wrote: > I just installed Red Hat 7.2, pam_krb5-1.46-1 (rpm), and pam-0.75-14 > (rpm). I have been using pam_krb5 for quite some time now and have had no > problems. However, with RH7.2, things aren't going so well. I turned on > the debugging and this is what I get... (the test user account is ccweis) > > <snip> [snip] > Oct 25 09:43:05 d-ece185 login[2921]: pam_krb5: pam_sm_authenticate > returning 0 (Success) > Oct 25 09:43:05 d-ece185 login[2921]: Authentication service cannot > retrieve authentication info. > > </snip> > > So, in the last couple of lines, it would appear that "pam_sm_authenticate > returning 0 (Success)" means that I successfully authenticated ( as is > what the kerberos server says ). However, the last line is what I get at > the login screen and the login attempt fails. The error message that shows up in /var/log/messages (logged by login as the result of some call to a function in libpam, which in turn is calling into various modules) corresponds to PAM_AUTHINFO_UNAVAIL. Looking at the login source in util-linux, it looks like the call to pam_authenticate() is succeeding (failures in pam_authenticate are always prefixed by "FAILED LOGIN" or "TOO MANY LOGIN ATTEMPTS" in the log), and the next call to libpam that could generate that log message is a call to pam_acct_mgmt(). So the failure is coming from the "account" section of your PAM configuration. I'm going to go out on a limb here and guess that the encrypted password field of your passwd entry is "x", and the pam_unix module is returning this error code because you're not actually using shadow passwords, and there is no password-aging information for it to look at for the user. If this is the case, changing the contents to either "*" (or "*K*", which I think is the proper convention if you're using Kerberos for authenticating the user) should cause this to stop happening. If that's not it, the contents of the PAM configuration files would be helpful in figuring this one out. Cheers, Nalin
