Hello, I'm configuring a CentoS 4.3 to authenticate users via krb5 on two separate realms. Login is working fine but I'm seeing some messages from pam that I'd like to get rid of.
Realms are DOMAINA.COM containing user testA and DOMAINB.COM containing user testB. Both users have been useradded to the CentOS server. (Logging in as user testA on realm DOMAINA.COM) Nov 13 12:05:26 xxxxx sshd(pam_unix)[30270]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=testA Nov 13 12:05:27 xxxxx sshd[30270]: pam_krb5[30270]: authentication succeeds for 'testA' ([EMAIL PROTECTED]) Nov 13 12:05:27 xxxxx sshd(pam_unix)[30274]: session opened for user testA by (uid=0) Nov 13 12:05:30 xxxxx sshd(pam_unix)[30274]: session closed for user testA (logging in as user testB on realm DOMAINB.COM) Nov 13 12:05:50 xxxxx sshd(pam_unix)[30308]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=testB Nov 13 12:05:50 xxxxx sshd[30308]: pam_krb5[30308]: authentication fails for 'testB' ([EMAIL PROTECTED]): User not known to the underlying authentication module (Client not found in Kerberos database) Nov 13 12:05:50 xxxxx sshd[30308]: pam_krb5[30308]: authentication succeeds for 'testB' ([EMAIL PROTECTED]) Nov 13 12:05:50 xxxxx sshd[30308]: pam_krb5[30308]: account checks fail for 'testB': user is unknown Nov 13 12:05:50 xxxxx sshd(pam_unix)[30313]: session opened for user testB by (uid=0) Nov 13 12:05:52 xxxxx sshd(pam_unix)[30313]: session closed for user testB Here are the contents of /etc/pam.d/system-auth. DOMAINA.COM is set up as the default realm in /etc/krb5.conf. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth [default=bad success=done user_unknown=ignore] /lib/ security/$ISA/pam_krb5.so use_first_pass minimum_uid=1000 auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass realm=DOMAINB.COM minimum_uid=1000 auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=done user_unknown=ignore] /lib/ security/$ISA/pam_krb5.so minimum_uid=1000 account sufficient /lib/security/$ISA/pam_krb5.so realm=DOMAINB.COM minimum_uid=1000 account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password [default=bad success=done user_unknown=ignore] /lib/ security/$ISA/pam_krb5.so use_authtok minimum_uid=1000 password sufficient /lib/security/$ISA/pam_krb5.so use_authtok realm=DOMAINB.COM minimum_uid=1000 password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so So in the second case the system tries to authenticate user testB first to DOMAINA.COM, then DOMAINB.COM (as configured) and authentication in DOMAINA.COM fails because the testB account doesn't exist there. I'd like to avoid the pam_krb5 "authentication fails" and "account checks fail" messages getting logged there if that's possible. The pam_unix "authentication fails" messages are probably due to the sytem first trying (and failing) to authenticate via the local passwd/ shadow before using Kerberos. Is there any way to avoid this happening while still getting a legitimate warning when someone fails to connect using a non-Kerberos account? Thanks in advance for your replies. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
