Dear Brandon, Thank you very much.
I don't do any modification for the file /etc/pam.d/system-auth, the content is : [root@bws0481 ~]# vi /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so Do I keep the serveral files including /etc/pam.d/login, su, sudo and sshd intact, just change the system-auth file? Could you show me how to set entries in /etc/pam.d/system-auth? Many thanks for you. Cheers, Qiulan 2013-10-22 huangql 发件人: Brandon Allbery 发送时间: 2013-10-22 22:58:47 收件人: huangql; openafs-info 抄送: 主题: Re: [OpenAFS] PAM authentication failed on SL6 /etc/pam.d/system-auth is where those entries belong, and by putting them directly in these entries instead of in the central system-auth stack you are very probably causing conflicts that prevent local auth (as for root) and possibly AFS auth (because both local password and AFS password are checked) to fail. But I can't be certain of this as you have not shown /etc/pam.d/system-auth, as I mentioned earlier. -- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix, openafs, kerberos, infrastructure, xmonad From: huangql <[email protected]> Date: Tuesday, October 22, 2013 10:53 To: Brandon Allbery <[email protected]>, "[email protected]" <[email protected]> Subject: Re: Re: [OpenAFS] PAM authentication failed on SL6 Hi Brandon, Many thanks for your prompt reply. The red characters are the points for PAM authentication, you mean there is not enough information, could you express what other message could I provide? # cat /etc/pam.d/login #%PAM-1.0 auth sufficient pam_afs.so try_first_pass ignore_root setenv_password_expires auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_stack.so service=system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should be the last session rule session required pam_selinux.so open # cat /etc/pam.d/su #%PAM-1.0 auth sufficient pam_afs.so try_first_pass ignore_root setenv_password_expires auth sufficient /lib/security/$ISA/pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required /lib/security/$ISA/pam_wheel.so use_uid auth required /lib/security/$ISA/pam_stack.so service=system-auth account sufficient /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid quiet account required /lib/security/$ISA/pam_stack.so service=system-auth password required /lib/security/$ISA/pam_stack.so service=system-auth # pam_selinux.so close must be first session rule session required /lib/security/$ISA/pam_selinux.so close session required /lib/security/$ISA/pam_stack.so service=system-auth # pam_selinux.so open and pam_xauth must be last two session rules session required /lib/security/$ISA/pam_selinux.so open session optional /lib/security/$ISA/pam_xauth.so # cat /etc/pam.d/sshd #%PAM-1.0 auth sufficient pam_afs.so try_first_pass ignore_root setenv_password_expires auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth #cat /etc/pam.d/sudo #%PAM-1.0 auth sufficient pam_afs.so try_first_pass ignore_root setenv_password_expires auth sufficient /lib/security/$ISA/pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required /lib/security/$ISA/pam_wheel.so use_uid auth required /lib/security/$ISA/pam_stack.so service=system-auth account sufficient /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid quiet account required /lib/security/$ISA/pam_stack.so service=system-auth password required /lib/security/$ISA/pam_stack.so service=system-auth # pam_selinux.so close must be first session rule session required /lib/security/$ISA/pam_selinux.so close session required /lib/security/$ISA/pam_stack.so service=system-auth # pam_selinux.so open and pam_xauth must be last two session rules session required /lib/security/$ISA/pam_selinux.so open session optional /lib/security/$ISA/pam_xauth.so Thanks a lot. Best Regards Qiulan Huang 2013-10-22 ==================================================================== Computing center,the Institute of High Energy Physics, China Huang, Qiulan Tel: (+86) 10 8823 6010-105 P.O. Box 918-7 Fax: (+86) 10 8823 6839 Beijing 100049 P.R. China Email: [email protected] =================================================================== 发件人: Brandon Allbery 发送时间: 2013-10-22 21:23:03 收件人: huangql; openafs-info 抄送: 主题: Re: [OpenAFS] PAM authentication failed on SL6 On 10/22/13 05:38, "huangql" <[email protected]> wrote: >The questions stuck me for weeks. Does anyone get the same problem and >could you give me some suggestions? You don't provide enough information, because all the stacks you provided use pam_stack.so to load the system-auth stack which you didn't provide. -- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix, openafs, kerberos, infrastructure, xmonad
