[OpenAFS] Openafs Client with pam krb5 and ldap

Russ Allbery rra@stanford.edu
Fri, 01 Oct 2010 21:50:43 -0700

Russ Allbery <rra@stanford.edu> writes:

> Oh, I understand now.  pam_unix fails, and you were expecting pam_krb5
> to return success (blindly) to counter pam_unix's failure, but since
> pam_krb5 (correctly) returns PAM_IGNORE for users about which it has no
> information, logins are failing because of the pam_unix failure.  Or, if
> you remove pam_unix, because all modules in the stack returned

Oh, and the other piece I forgot to mention: you saw this start happening
in lenny because in etch pam-krb5 did blindly return PAM_SUCCESS if the
user didn't log in with a password.  This was changed in 3.11:

    pam_setcred, pam_open_session, and pam_acct_mgmt now return PAM_IGNORE
    for ignored users or non-Kerberos logins rather than PAM_SUCCESS.
    This return code tells the PAM library to continue as if the module
    were not present in the configuration and allows sufficient to be
    meaningful for pam-krb5 in account and session groups.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>