[OpenAFS] authentication at login fails, but klog works after logging in

Paul Johnson pauljohn32@gmail.com
Fri, 25 Aug 2006 15:02:38 -0500

In Fedora Core 5 we are running openafs-1.4.1-1.6.  In pam.d's
system-auth, we have included AFS line lines to allow the afs password
to authenticate users. The auth checker first looks at afs, then an
ldap server, then at a windows domain.  It used to work fine.

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    /lib/security/$ISA/pam_afs.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_smb_auth.so debug
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 100 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
password    required      pam_deny.so

session    required     /lib/security/$ISA/pam_mkhomedir.so
skel=/etc/skel/ umask=0022
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

A new problem has started to occur. THe afs server rejects the login
and in /var/log/messages I see this:

Aug 25 14:22:37 pols16 pam_afs[2722]: AFS Authentication failed for
user pauljohn. ID is locked - see your system admin (KALOCKED)

My system admin says everything is fine, and I CAN mount the afs shares with

> klog pauljohn

Have you seen this, and have you any advice about addressing it?


Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas