On Wed, Apr 10, 2002 at 08:33:58AM -0500, McNutt, Justin M. wrote: > > PAM itself doesn't care about local vs. non-local accounts. > > If you're > > having trouble with this, you almost certainly have a module > > in your PAM > > config which you shouldn't -- such as pam_unix, which by definition > > requires local accounts and will give you a failure for anything else. > > > > Someone on the list may be able to pinpoint the exact trouble if you > > dump us your PAM config for freeradius.
> I did in a previous post, but here it is again for convenience: > #%PAM-1.0 > auth required /usr/pam/lib/security/pam_krb5.so > account required /usr/pam/lib/security/pam_permit.so If this particular configuration doesn't work, then the pam_krb5 module you're using is buggy. I would recommend the OpenPAM krb5 module based on Frank Cusack's work, but I wouldn't swear that it doesn't also have this bug at present -- the devel team talked about making sure the module worked without local accounts, but I don't know that it's ever been committed to CVS. Kick me if you don't hear back from me on this in a day or so -- I'll take a look at what we have in the pam_krb5 CVS repository and fix it if it isn't already taken care of. Steve Langasek postmodern programmer
msg04840/pgp00000.pgp
Description: PGP signature
