On 2010-10-01 at 20:30, Russ Allbery ( [email protected] ) said:
pam_permit of course fixes it because it basically disables the entire
account stack. Just deleting everything out of the account stack would
presumably also fix it.
The account stack needs /something/ in it or it fails completely.
I wonder if pam_krb5 is a red herring here and what's actually failing is
pam_unix. Do the accounts you're trying to log in as exist in
/etc/shadow? Does it work if you remove pam_krb5 and only keep pam_unix?
pam_unix does require all accounts be present in /etc/shadow.
These accounts exist through ldap, so no entries in /etc/shadow.
It fails in the same manner with just pam_krb5.
pam_krb5 and pam_permit together work. Is your pam_krb5 returning nothing
for pam_sm_acct_mgmt with gssapi ssh logins perhaps?
--andy
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
