Andreas Ntaflos <[email protected]> writes: > I hope this list is not inappropriate for questions about pam-krb5.
This is perfectly fine, at least as far as I'm concerned. :) > Unfortunately my tests don't work. Enabling debugging on the PAM modules > I see this in the Samba server's auth.log when calling "smbpasswd -r" on > a remote machine. > pam_smbpass(samba:chauthtok): username [testuser] obtained > pam_smbpass(samba:chauthtok): Located account for testuser > pam_krb5(samba:chauthtok): pam_sm_chauthtok: entry (0xc000) > pam_krb5(samba:chauthtok): (user testuser) attempting authentication as > [email protected] > pam_krb5(samba:chauthtok): (user testuser) error getting password: > Conversation error > pam_krb5(samba:chauthtok): pam_sm_chauthtok: exit (failure) "Conversation error" means that when pam-krb5 tried to prompt for the password, it was unable to do so, usually because the application didn't provide a conversation callback. How does smbpasswd -r provide the password to PAM? You may need a custom PAM configuration for it that uses the PAM options use_first_pass and use_authtok, so that the PAM module will read the password from the stored PAM state rather than trying to prompt for it. However.... > For reference, /etc/pam.d/samba looks like this: > auth requisite pam_krb5.so debug > auth optional pam_smbpass.so migrate debug > account required pam_krb5.so debug > password optional pam_smbpass.so nullok use_authtok try_first_pass > debug > password required pam_krb5.so use_authtok try_first_pass debug > session required pam_krb5.so debug ...it looks like that's what you've already got. Although I'm confused, since both pam_smbpass and pam_krb5 are configured to use a password stored in the stack by a previous module, but there's no previous module. *Someone* needs to be responsible for prompting for the password. I'm not personally very familiar with smbpasswd -r or how it works, so I may be missing some aspect of this. (Presumably there's some reason why you want to use that and not just passwd configured with Samba and Kerberos PAM modules.) -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
