[OpenAFS] Openafs Client with pam krb5 and ldap

Claudio Prono claudio.prono@atpss.net
Fri, 01 Oct 2010 18:24:26 +0200 

Douglas E. Engert ha scritto:
>
>
> On 10/1/2010 10:46 AM, Claudio Prono wrote:
>> Hello all,
>>
>> I am searching someone experienced with an openafs-client with pam,
>> kerberos and ldap.
>
> What OS?
>
Is an OpenSuse 11.3
>>
>> I am trying to use a single signon to a linux client with afs (shell
>> user, no local user). I have setted up pam with krb5 and afs, with this
>> configs:
>>
>> /etc/pam.d/common-auth
>>
>> auth    required        pam_env.so
>> auth    optional        pam_gnome_keyring.so
>> auth    sufficient      pam_unix2.so
>> auth    sufficient      pam_krb5.so     use_first_pass
>> auth    required        pam_deny.so
>>
>> /etc/pam.d/common-session
>>
>> session required        pam_limits.so
>> session required        pam_unix2.so
>> session optional        pam_krb5.so
>> session optional        pam_umask.so
>> session optional        pam_gnome_keyring.so    auto_start
>> only_if=gdm,lxdm
>>
>> /etc/pam.d/common-password
>>
>> password        requisite       pam_pwcheck.so  nullok cracklib
>> password        optional        pam_gnome_keyring.so    use_authtok
>> password        [default=ignore success=1]      pam_succeed_if.so
>> uid>  999 quiet
>> password        sufficient      pam_unix2.so    use_authtok nullok
>> password        sufficient      pam_krb5.so
>> password        required        pam_deny.so
>>
>> /etc/pam.d/common-account
>>
>> account requisite       pam_unix2.so
>> account required        pam_krb5.so     use_first_pass
>> ignore_unknown_principals
>> account sufficient      pam_localuser.so
>> account required        pam_ldap.so     use_first_pass
>
> Are you sure you need the pam_ldap.so here? Its generally used
> only for authentication, and you are using Kerberos.
> If you have nss_ldap setup via /etc/nsswitch.conf you should
> not need pam_ldap.so.
>
> Which pam_krb5 are you using? Does it do AFS?
> If not you will also need pam_afs_sesson.so to get tokens.
>
I have tried to remove pam_ldap.so from common_account, but nothing
solved. Same error. This is my nss_switch.conf:

passwd: compat
group:  files ldap
shadow: files

hosts:  files mdns4_minimal [NOTFOUND=return] dns
networks:       files dns

services:       files ldap
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files ldap
publickey:      files

bootparams:     files
automount:      files nis ldap
aliases:        files ldap
passwd_compat:  ldap

>>
>> If i do an id [user] on the remote machine, it works (is not a local
>> user)
>>
>> id claudio
>> uid=1003(claudio) gid=100(users)
>> groups=100(users),1000(domadm),1001(Domain Admins)
>>
>> But, when i try to login with a ldap/kerberos user, into the machine
>> logs i get this:
>>
>> Oct  1 16:48:03 linux-7w13 sshd[4192]: pam_krb5[4192]: authentication
>> succeeds for 'claudio' (claudio@MEDIASERVICE-TEST.PRI)
>> Oct  1 16:48:03 linux-7w13 sshd[4099]: error: PAM: Authentication
>> failure for claudio from 192.168.87.131
>>
>> I don't understand...why first succeeds, and then fail?
>>
>> What is wrong?
>>
>> Any hint is welcome..
>>
>> Cheers,
>>
>> Claudio.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>

-- 
--------------------------------------------------------------------------------
Claudio Prono                         OPST
System Developer               
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc