On Sun, 2004-05-02 at 11:57, Jeff Mitchell wrote: > Folks-- > > I'm trying to use PAM authentication (with Kerberos) and am running > into troubles. > > I'm setting up eGroupWare (PHP, using pam_auth as shown below) to use > PAM authentication. I've set up the necessary httpd/php files in > /etc/pam.d with the following: > > #%PAM-1.0 > auth required /lib/security/pam_krb5.so > account required /lib/security/pam_krb5.so > > (output of my /etc/krb5.conf file at the bottom) > > However, when the user attempts to log in with eGW, they will only > authenticate correctly if an account of the same name exists on the > local machine that eGW is on. Even though the password that is > required for them to log in is the correct one (i.e. if the password > on the local machine and the Kerberos server are different, the > Kerberos one is the one that is accepted, which is correct behavior), > I can't get them to log in unless there is an account on the local > machine. I've tried this several times now -- a person cannot log in, > so I do an adduser using the same username but a different password, > and suddenly they can log in just fine (with the password the Kerberos > server is expecting). This seems like a PAM issue, not eGW, so I'm > posting it here in the hopes that someone will know why this is the > case. We're going to be having over 1500 users authenticating against > this installation of eGW (if all goes well) so obviously creating > local accounts for all of them is not a great idea. This is expected. kerberos is used only for authentication. Your linux box also needs a place to look for login information (uid,gid,homedirectory etc.) Many use ldap to distribute such information. If you don't want/need machine accounts, drop the line that says account required /lib/security/pam_krb5.so (or change 'required' to 'optional') -- Nils O. Selåsdal <noselasd@xxxxxxxxxx> _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
