[OpenAFS] Openafs Client with pam krb5 and ldap

Andy Cobaugh phalenor@gmail.com
Sat, 2 Oct 2010 00:14:56 -0400 (EDT)

On 2010-10-01 at 20:30, Russ Allbery ( rra@stanford.edu ) said:
> pam_permit of course fixes it because it basically disables the entire
> account stack.  Just deleting everything out of the account stack would
> presumably also fix it.

The account stack needs /something/ in it or it fails completely.

> I wonder if pam_krb5 is a red herring here and what's actually failing is
> pam_unix.  Do the accounts you're trying to log in as exist in
> /etc/shadow?  Does it work if you remove pam_krb5 and only keep pam_unix?
> pam_unix does require all accounts be present in /etc/shadow.

These accounts exist through ldap, so no entries in /etc/shadow.

It fails in the same manner with just pam_krb5.

pam_krb5 and pam_permit together work. Is your pam_krb5 returning nothing 
for pam_sm_acct_mgmt with gssapi ssh logins perhaps?