Package: libpam-krb5 Version: 3.5-1.1 Severity: normal Don't panic over the version. :-) This is package 3.5-1 with some local instrumenting added in an attempt to understand what is going on.
Documentation claims: "If the username provided to PAM contains an "@" and Kerberos can, treating the username as a principal, map it to a local account name, pam_authenticate() will change the PAM user to that local account name." This does not actually happen, and I can't figure out why. I have attached /var/log/auth.log excerpts of login attempts (with "debug" option specified) -- my version adds a few extra lines of information so you can see what is happening with canonicalize_name()... Also note these attempts were via telnet on the loopback interface and not OpenSSH, in case that makes a difference. It appears the name is canonicalized correctly, but apparently pam_sm_setcred() doesn't get the message and proceeds to try getpwnam() against the original principal, which of course fails. I am clueless to understand why this happens as the code appears to try to do the right thing. One oddity I did notice is that it appears to me that pam_sm_authenticate() jumps to "done" (bypassing the canonicalize_name() call) in the event no_ccache is specified. This does not seem right to me either, but has no direct bearing on the bug that is driving me nuts at the moment. :-) Thanks for a sanity-saving library, Scott Bailey [EMAIL PROTECTED] -- System Information: Debian Release: lenny/sid Architecture: sparc (sparc64) Kernel: Linux 2.6.22-1-sparc64 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages libpam-krb5 depends on: ii krb5-con 1.17 Configuration files for Kerberos V ii libc6 2.6-2 GNU C Library: Shared libraries ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-2 common error description library ii libkrb53 1.6.dfsg.1-6 MIT Kerberos runtime libraries ii libpam0g 0.79-4 Pluggable Authentication Modules l libpam-krb5 recommends no packages. -- no debconf information
[ Using login "czhc72" and inheriting default realm ] Aug 10 16:35:17 w2czhc7202 login[29643]: (pam_krb5): none: pam_sm_authenticate: entry (0x0) Aug 10 16:35:17 w2czhc7202 login[29643]: (pam_krb5): czhc72: attempting authentication as [EMAIL PROTECTED] Aug 10 16:35:17 w2czhc7202 login[29643]: (pam_krb5): czhc72: canonicalize_name: entry (0x0) Aug 10 16:35:17 w2czhc7202 login[29643]: (pam_krb5): czhc72: canonicalize_name: exit (failure) Aug 10 16:35:17 w2czhc7202 login[29643]: (pam_krb5): czhc72: pam_sm_authenticate: exit (success) Aug 10 16:35:17 w2czhc7202 login[29643]: (pam_krb5): czhc72: pam_sm_setcred: entry (0x2) Aug 10 16:35:17 w2czhc7202 login[29643]: (pam_krb5): czhc72: initializing ticket cache FILE:/tmp/krb5cc_1000_Ybt4gO Aug 10 16:35:17 w2czhc7202 login[29643]: (pam_krb5): czhc72: pam_sm_setcred: exit (success) [ Using login "[EMAIL PROTECTED]" ] Aug 10 16:35:37 w2czhc7202 login[29649]: (pam_krb5): none: pam_sm_authenticate: entry (0x0) Aug 10 16:35:37 w2czhc7202 login[29649]: (pam_krb5): [EMAIL PROTECTED]: attempting authentication as [EMAIL PROTECTED] Aug 10 16:35:37 w2czhc7202 login[29649]: (pam_krb5): [EMAIL PROTECTED]: canonicalize_name: entry (0x0) Aug 10 16:35:37 w2czhc7202 login[29649]: (pam_krb5): [EMAIL PROTECTED]: using localname: czhc72 Aug 10 16:35:37 w2czhc7202 login[29649]: (pam_krb5): [EMAIL PROTECTED]: canonicalize_name: exit (success) Aug 10 16:35:37 w2czhc7202 login[29649]: (pam_krb5): [EMAIL PROTECTED]: pam_sm_authenticate: exit (success) Aug 10 16:35:37 w2czhc7202 login[29649]: (pam_krb5): [EMAIL PROTECTED]: pam_sm_setcred: entry (0x2) Aug 10 16:35:37 w2czhc7202 login[29649]: (pam_krb5): [EMAIL PROTECTED]: getpwnam failed for [EMAIL PROTECTED] Aug 10 16:35:37 w2czhc7202 login[29649]: (pam_krb5): [EMAIL PROTECTED]: pam_sm_setcred: exit (failure) Aug 10 16:35:37 w2czhc7202 login[29649]: User not known to the underlying authentication module