On Sun, 2009-10-18 at 18:26 +0000, Steve Langasek wrote: > On Sun, Oct 18, 2009 at 03:30:21PM -0000, Brian J. Murrell wrote: > > common-account: > > account [success=2 new_authtok_reqd=done default=ignore] > > pam_unix.so debug audit > > account [success=1 default=ignore] pam_ldap.so > > Where's the pam_deny line that was supposed to be here?
Ooops. Yes, I missed it amongst the comments given that I had commented it out in my debugging. There is indeed a: account requisite pam_deny.so in there now, and now it works. Not sure what even led me down this path in the first place given the default works just fine. Probably all of the ccreds messing around I have been doing. > Your common-account does not match the system-managed file used by > pam-auth-update. The jumps are supposed to jump *to* pam_permit, not *over* > it. Indeed, and when you jump to a pam_permit *then* followed by the pam_krb5 which should be ignored, it does indeed make sense in how it all is supposed to work. > Sure, because you're skipping the line that's supposed to set the return > value for the stack (pam_permit). Indeed. Clear as day now. > pam_krb5 doesn't set the return value for > the stack when called for a non-Kerberos user, it returns PAM_IGNORE; and > jumps also don't set the return value for the stack. You have to hit either > the pam_permit or the (missing) pam_deny line to set the stack's return > value. Thanx for the excellent clarification and my apologies for wasting your time with this. Now if we could just get pam-auth-update and pam_ccreds working, I wouldn't have to diddle the files after the fact. -- pam-configs prevents root login with pam_unix https://bugs.launchpad.net/bugs/454012 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
