On Tue, 2005-02-22 at 10:30 +1000, Ian Mortimer wrote: > Testing on Fedora Core 3 with this configuration seems to work: > > password requisite pam_cracklib.so retry=3 > password requisite pam_unix.so nullok use_authtok md5 shadow > password optional pam_krb5.so use_authtok try_first_pass > #password required pam_deny.so > > But I had to comment out pam_deny.so to get it to work in case 3. > (A simpler solution would be to reverse the order of the pam_unix and > pam_krb5 entries but unfortunately pam_unix doesn't accept > try_first_pass in password context). > > What problems will removing pam_deny from the password module cause? Of course you cannot have pam_deny.so there in your configuration because the pam_krb5 is optional - thus the pam_deny makes the password fail regardless of the result of pam_krb5. So removing pam_deny was the right thing to do. -- Tomas Mraz <tmraz@xxxxxxxxxx> _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
