[OpenAFS] Openafs Client with pam krb5 and ldap

Claudio Prono claudio.prono@atpss.net
Fri, 01 Oct 2010 17:46:35 +0200 

Hello all,

I am searching someone experienced with an openafs-client with pam,
kerberos and ldap.

I am trying to use a single signon to a linux client with afs (shell
user, no local user). I have setted up pam with krb5 and afs, with this
configs:

/etc/pam.d/common-auth

auth    required        pam_env.so
auth    optional        pam_gnome_keyring.so
auth    sufficient      pam_unix2.so
auth    sufficient      pam_krb5.so     use_first_pass
auth    required        pam_deny.so

/etc/pam.d/common-session

session required        pam_limits.so
session required        pam_unix2.so
session optional        pam_krb5.so
session optional        pam_umask.so
session optional        pam_gnome_keyring.so    auto_start only_if=gdm,lxdm

/etc/pam.d/common-password

password        requisite       pam_pwcheck.so  nullok cracklib
password        optional        pam_gnome_keyring.so    use_authtok
password        [default=ignore success=1]      pam_succeed_if.so      
uid > 999 quiet
password        sufficient      pam_unix2.so    use_authtok nullok
password        sufficient      pam_krb5.so
password        required        pam_deny.so

/etc/pam.d/common-account

account requisite       pam_unix2.so
account required        pam_krb5.so     use_first_pass
ignore_unknown_principals
account sufficient      pam_localuser.so
account required        pam_ldap.so     use_first_pass

If i do an id [user] on the remote machine, it works (is not a local user)

id claudio
uid=1003(claudio) gid=100(users)
groups=100(users),1000(domadm),1001(Domain Admins)

But, when i try to login with a ldap/kerberos user, into the machine
logs i get this:

Oct  1 16:48:03 linux-7w13 sshd[4192]: pam_krb5[4192]: authentication
succeeds for 'claudio' (claudio@MEDIASERVICE-TEST.PRI)
Oct  1 16:48:03 linux-7w13 sshd[4099]: error: PAM: Authentication
failure for claudio from 192.168.87.131

I don't understand...why first succeeds, and then fail?

What is wrong?

Any hint is welcome..

Cheers,

Claudio.












-- 
--------------------------------------------------------------------------------
Claudio Prono                         OPST
System Developer               
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc