Lars Hanke <[email protected]> writes: > Using the configuration files as produced by this package fails to login > to the system using kerberos. A typical auth.log for a kerberos login > looks like this:
> Jan 14 21:12:56 nfs4 login[5265]: pam_krb5(login:auth): user xxx > authenticated as xxx@XXX > Jan 14 21:12:56 nfs4 login[5265]: Authentication failure > Changing /etc/pam.d/common-account to reflect: > account sufficient pam_krb5.so minimum_uid=1000 > account required pam_unix.so > account required pam_permit.so > makes logins based on /etc/shadow and Kerberos successful. I couldn't > get both scenarios running in parallel with any minor change to the > config, but I'm neither a PAM wizard. There are two mutually-exclusive ways that you can configure Kerberos's interaction with the PAM stack. One is to assume that if the account is valid in Kerberos, that overrides all local configuration and local users, which means that you don't have to ensure the user exists in the local /etc/shadow database. The other is to check local configuration as well so that, if the user is locked out locally, they won't be allowed to log in. You can only do one or the other. If you don't require the user exist locally, then any local lockouts of the user will just be ignored and the user will be able to log in anyway. The package intentionally picks the second approach because it's more secure. Ignoring a local account lock by default is a security vulnerability waiting to happen when someone installs libpam-krb5 on a server without understanding the consequences. Unfortunately, that means that you need to change the default configuration if you don't want the users to exist in any local user database. This is documented in /usr/share/doc/libpam-krb5/README.Debian.gz (see the part starting with "This configuration will still require that users be listed in /etc/shadow"). -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
