Having just spent ages trying to discover why I couldn't log in to one of my recently-upgraded FreeBSD 8.0-RC1 servers...
Kerberos login processing has changed! I had a .k5login file on the server with a single entry: john/[email protected] On FreeBSD 7.2 that meant that I could log in as john on that server with either my john@ (default principal/account mapping) or my john/admin@ (by virtue of .k5login) principal. On FreeBSD 8.0 that means that ONLY john/admin@ can login to that account. The fact that a .k5login file is present restricts access to principals listed in that file. Anyone like to guess where the .k5login man page is? Try krb5_kuserok(3). FreeBSD 7.2 Kerberos Login -------------------------- First krb5_kuserok check if there is a local account name username. If there isn't, krb5_kuserok returns FALSE. Then krb5_kuserok checks if principal is the same as u...@realm in any of the default realms. If that is the case, krb5_kuserok returns TRUE. After that it reads the file .k5login (if it exists) in the users home directory and checks if principal is in the file. If it does exists, TRUE is returned. If neither of the above turns out to be true, is returned. FreeBSD 8.0 Kerberos Login -------------------------- The user may have a ~/.k5login file listing principals that are allowed to login as that user. If that file does not exist, all principals with a first component identical to the username, and a realm considered local, are allowed access. Note that if the file exists, no implicit access rights are given to user@<localrealm>. -- John Marshall
pgpizLadoUHY3.pgp
Description: PGP signature
