Douglas E. Engert ha scritto: > > > On 10/1/2010 10:46 AM, Claudio Prono wrote: >> Hello all, >> >> I am searching someone experienced with an openafs-client with pam, >> kerberos and ldap. > > What OS? > Is an OpenSuse 11.3 >> >> I am trying to use a single signon to a linux client with afs (shell >> user, no local user). I have setted up pam with krb5 and afs, with this >> configs: >> >> /etc/pam.d/common-auth >> >> auth required pam_env.so >> auth optional pam_gnome_keyring.so >> auth sufficient pam_unix2.so >> auth sufficient pam_krb5.so use_first_pass >> auth required pam_deny.so >> >> /etc/pam.d/common-session >> >> session required pam_limits.so >> session required pam_unix2.so >> session optional pam_krb5.so >> session optional pam_umask.so >> session optional pam_gnome_keyring.so auto_start >> only_if=gdm,lxdm >> >> /etc/pam.d/common-password >> >> password requisite pam_pwcheck.so nullok cracklib >> password optional pam_gnome_keyring.so use_authtok >> password [default=ignore success=1] pam_succeed_if.so >> uid> 999 quiet >> password sufficient pam_unix2.so use_authtok nullok >> password sufficient pam_krb5.so >> password required pam_deny.so >> >> /etc/pam.d/common-account >> >> account requisite pam_unix2.so >> account required pam_krb5.so use_first_pass >> ignore_unknown_principals >> account sufficient pam_localuser.so >> account required pam_ldap.so use_first_pass > > Are you sure you need the pam_ldap.so here? Its generally used > only for authentication, and you are using Kerberos. > If you have nss_ldap setup via /etc/nsswitch.conf you should > not need pam_ldap.so. > > Which pam_krb5 are you using? Does it do AFS? > If not you will also need pam_afs_sesson.so to get tokens. > I have tried to remove pam_ldap.so from common_account, but nothing solved. Same error. This is my nss_switch.conf:
passwd: compat group: files ldap shadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files ldap protocols: files rpc: files ethers: files netmasks: files netgroup: files ldap publickey: files bootparams: files automount: files nis ldap aliases: files ldap passwd_compat: ldap >> >> If i do an id [user] on the remote machine, it works (is not a local >> user) >> >> id claudio >> uid=1003(claudio) gid=100(users) >> groups=100(users),1000(domadm),1001(Domain Admins) >> >> But, when i try to login with a ldap/kerberos user, into the machine >> logs i get this: >> >> Oct 1 16:48:03 linux-7w13 sshd[4192]: pam_krb5[4192]: authentication >> succeeds for 'claudio' ([email protected]) >> Oct 1 16:48:03 linux-7w13 sshd[4099]: error: PAM: Authentication >> failure for claudio from 192.168.87.131 >> >> I don't understand...why first succeeds, and then fail? >> >> What is wrong? >> >> Any hint is welcome.. >> >> Cheers, >> >> Claudio. >> >> >> >> >> >> >> >> >> >> >> >> > -- -------------------------------------------------------------------------------- Claudio Prono OPST System Developer Gsm: +39-349-54.33.258 @PSS Srl Tel: +39-011-32.72.100 Via San Bernardino, 17 Fax: +39-011-32.46.497 10141 Torino - ITALY http://atpss.net/disclaimer -------------------------------------------------------------------------------- PGP Key - http://keys.atpss.net/c_prono.asc _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
