Re: [OpenAFS] Openafs Client with pam krb5 and ldap

Fri, 01 Oct 2010 09:07:34 -0700 


On 10/1/2010 10:46 AM, Claudio Prono wrote:

Hello all,

I am searching someone experienced with an openafs-client with pam,
kerberos and ldap.


What OS?



I am trying to use a single signon to a linux client with afs (shell
user, no local user). I have setted up pam with krb5 and afs, with this
configs:

/etc/pam.d/common-auth

auth    required        pam_env.so
auth    optional        pam_gnome_keyring.so
auth    sufficient      pam_unix2.so
auth    sufficient      pam_krb5.so     use_first_pass
auth    required        pam_deny.so

/etc/pam.d/common-session

session required        pam_limits.so
session required        pam_unix2.so
session optional        pam_krb5.so
session optional        pam_umask.so
session optional        pam_gnome_keyring.so    auto_start only_if=gdm,lxdm

/etc/pam.d/common-password

password        requisite       pam_pwcheck.so  nullok cracklib
password        optional        pam_gnome_keyring.so    use_authtok
password        [default=ignore success=1]      pam_succeed_if.so
uid>  999 quiet
password        sufficient      pam_unix2.so    use_authtok nullok
password        sufficient      pam_krb5.so
password        required        pam_deny.so

/etc/pam.d/common-account

account requisite       pam_unix2.so
account required        pam_krb5.so     use_first_pass
ignore_unknown_principals
account sufficient      pam_localuser.so
account required        pam_ldap.so     use_first_pass


Are you sure you need the pam_ldap.so here? Its generally used
only for authentication, and you are using Kerberos.
If you have nss_ldap setup via /etc/nsswitch.conf you should
not need pam_ldap.so.

Which pam_krb5 are you using? Does it do AFS?
If not you will also need pam_afs_sesson.so to get tokens.



If i do an id [user] on the remote machine, it works (is not a local user)

id claudio
uid=1003(claudio) gid=100(users)
groups=100(users),1000(domadm),1001(Domain Admins)

But, when i try to login with a ldap/kerberos user, into the machine
logs i get this:

Oct  1 16:48:03 linux-7w13 sshd[4192]: pam_krb5[4192]: authentication
succeeds for 'claudio' ([email protected])
Oct  1 16:48:03 linux-7w13 sshd[4099]: error: PAM: Authentication
failure for claudio from 192.168.87.131

I don't understand...why first succeeds, and then fail?

What is wrong?

Any hint is welcome..

Cheers,

Claudio.














--

 Douglas E. Engert  <[email protected]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info






















					Reply via email to