Re: pam_krb5 problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Oct 25, 2001 at 09:53:58AM -0500, ccweis@engineering.uiowa.edu wrote:
> I just installed Red Hat 7.2, pam_krb5-1.46-1 (rpm), and pam-0.75-14 
> (rpm).  I have been using pam_krb5 for quite some time now and have had no 
> problems.  However, with RH7.2, things aren't going so well.  I turned on 
> the debugging and this is what I get... (the test user account is ccweis)
> 
> <snip>
[snip]
> Oct 25 09:43:05 d-ece185 login[2921]: pam_krb5: pam_sm_authenticate 
> returning 0 (Success)
> Oct 25 09:43:05 d-ece185 login[2921]: Authentication service cannot 
> retrieve authentication info.
> 
> </snip>
> 
> So, in the last couple of lines, it would appear that "pam_sm_authenticate 
> returning 0 (Success)" means that I successfully authenticated ( as is 
> what the kerberos server says ).  However, the last line is what I get at 
> the login screen and the login attempt fails.

The error message that shows up in /var/log/messages (logged by login
as the result of some call to a function in libpam, which in turn is
calling into various modules) corresponds to PAM_AUTHINFO_UNAVAIL.

Looking at the login source in util-linux, it looks like the call
to pam_authenticate() is succeeding (failures in pam_authenticate
are always prefixed by "FAILED LOGIN" or "TOO MANY LOGIN ATTEMPTS" in
the log), and the next call to libpam that could generate that log
message is a call to pam_acct_mgmt().

So the failure is coming from the "account" section of your PAM
configuration.

I'm going to go out on a limb here and guess that the encrypted
password field of your passwd entry is "x", and the pam_unix module
is returning this error code because you're not actually using
shadow passwords, and there is no password-aging information for it
to look at for the user.  If this is the case, changing the contents
to either "*" (or "*K*", which I think is the proper convention if
you're using Kerberos for authenticating the user) should cause this
to stop happening.

If that's not it, the contents of the PAM configuration files would
be helpful in figuring this one out.

Cheers,

Nalin





[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux