On Mon, Nov 24, 2003 at 01:26:52PM -0500, Adam Parrish wrote: > I have installed Kerberos and PAMS and AFS on my Debian machine running > on an Itanium 2. I have done the following to configure it > > 1. install hesiod and pam packages > > $ apt-get install hesiod autofs-hesiod libpam-krb5 > libpam-openafs-session > > 2. change the pam_unix.so line in /etc/pam.d/common-auth to look > like: > > auth sufficient pam_unix.so > > 3. add the following line to /etc/pam.d/common-auth: > > auth required pam_krb5.so try_first_pass > > 4. add the following 2 lines to /etc/pam.d/common-session: > > session optional pam_krb5.so > session optional pam_openafs_session.so > > 5. modify the passwd and group lines in /etc/nsswitch.conf to look > like: > > passwd: <leave whatever is there> hesiod > group: <leave whatever is there> hesiod > > 6. add the following line to /etc/nsswitch.conf: > > automount: hesiod > > For some reason I can still no longer log in with a valid username and > password. Is there any way to debug this or help figure out if pams is > even operating correctly? First, check /var/log/messages and /var/log/secure (might vary from distribution to distribution) for information about why login access was denied. You may find messages detailing why things aren't working there. If the logs are of no help, you get to troubleshoot it. First, make sure that your system "knows" about its users. Check that your system can get information about the user by running 'getent passwd username' for the user, first as root, and then again as a different unprivileged user. If you get output resembling a line from /etc/passwd, then this works. Turn off nscd while you're doing this -- it can be confusing while you're debugging your setup. Because you're using hesiod, you'll also want to check the settings in your hesiod.conf file. You need to get this working before you can start troubleshooting your authentication setup. Once your system can retrieve information about its users, you can figure out what is going wrong during authentication. For Kerberos, check that your krb5.conf file is properly configured for your realm, and that 'kinit username' works from the command line. Most of the time, 'kinit' will tell you what's wrong. If 'kinit' works but you still can't log in, add "debug" to the list of options you're passing to the module, and configure syslog to log debug messages. Then try again and check your logs for those debug messages. Because you're using AFS, you'll also need to ensure that a user will be able to get to her home directory after logging in. Check that AFS is configured for your cell, and that you can run 'kinit' and 'aklog' (if your site uses vanilla Kerberos) or 'klog' (if you're using AFS's Kerberos support) to get tokens as a regular user, and that you can access that user's home directory using those tokens. Because name resolution already works, you can log in as root, use "su" to switch to the user's UID, run 'kinit/aklog' or 'klog' to get tokens for the user, and then attempt to change to the user's home directory. (When you get down to it, this is what you're attempting to get login to do on your users' behalf.) Getting hesiod support working the automounter requires that you have 'filsys' records in the hesiod database for each directory which you want to be able to automount -- because you typically only have one "map", there's no "auto.master" automount map for the autofs init script to consult (if it wants to). You'll need to determine which directory you want to use for the automounter, and configure /etc/auto.master to use hesiod for that point by adding /example hesiod at the end of the file. The specifics of your Hesiod, Kerberos, and AFS setups should be documented somewhere, though it they may just be common knowledge you haven't acquired yet. HTH, Nalin _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
