[rhelv5-list] pam_krb5 issues

Fri, 06 Apr 2007 06:47:53 -0700 

hi everyone,
I'm running RHEL5 Workstation and I'm having a devil of a time with pam_krb5. I'm using kerberos 5 to authenticate all users and get AFS tokens upon login. I can login to the console or gdm just fine. When sshing into the machine with a kerberos 5 ticket, it properly passes the ticket and gets a token. When I try to ssh into the machine without a ticket and login with a password, it lets me into the machine, but I have no ticket. There is no local password for the user, so kerberos authentication is working, but the ticket isn't living past the initial password check. 


The dns and hostname are working properly and I can kinit and aklog 
after login to get the proper access. Has anyone else seen this?


I've tried with and without using the pam_krb5 module

/etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5afs.so use_first_pass tokens
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5afs.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass 
use_autht ok

password    sufficient    pam_krb5afs.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid

session     required      pam_unix.so
session     optional      pam_krb5afs.so

/etc/pam.d/gdm:
#%PAM-1.0
auth       required    pam_env.so
auth       include     system-auth
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so force revoke
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so

/etc/pamd/sshd
#%PAM-1.0
auth       include      system-auth

auth        sufficient    pam_krb5.so use_first_pass forwardable tokens 
external=sshd

#auth        sufficient    pam_afs.krb.so use_first_pass forwardable tokens
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session       sufficient    pam_krb5.so  forwardable tokens external=sshd
session    include      system-auth
session    required     pam_loginuid.so

UsePAM is yes in sshd_config


part of krb5.conf:
[appdefaults]
pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}


Any help is appreciated. /var/log/secure indicates success, but there 
are no tickets in the shell.


Sincerely,
Jason






_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list






















					Reply via email to