On May 29, 2014, at 4:52 PM, Liam Hoekenga <li...@umich.edu> wrote: > Well, the defaults are (.+@.+) and ([^@]+), i.e., if there's @ in the login, > treat it as friend, if there's no @, use kerberos. A leading or trailing @ > would cause neither to match, or if the strings are too short, but that's > about it. > > That's what it looked like. > > These are just normal uniqnames that sometimes work and sometimes don't.
Maybe sort of like sometimes they enter their passwords correctly, and sometimes they don't? :) That's all that message means here: bad password. As the code currently stands, nothing is logged if cosign_login_krb5 doesn't succeed. In the case of a bad password, the code requests the next authenticator matching the current username pattern. But since the mysql and kerberos authenticator patterns are mutually exclusive when using the defaults, there are no more authenticators to try, so the pick_authenticator() call logs that error and returns -1, terminating the authenticator loop and ultimately drawing the login screen again. tl;dr: "Couldn't identify an authenticator for 'username'" almost always means "username submitted a bad password". andrew
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet
_______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
