[OpenAFS] Openafs Client with pam krb5 and ldap
Andy Cobaugh
phalenor@gmail.com
Fri, 1 Oct 2010 12:05:54 -0400 (EDT)
On 2010-10-01 at 17:46, Claudio Prono ( claudio.prono@atpss.net ) said:
> /etc/pam.d/common-account
>
> account requisite pam_unix2.so
> account required pam_krb5.so use_first_pass
> ignore_unknown_principals
> account sufficient pam_localuser.so
> account required pam_ldap.so use_first_pass
One, if you're using LDAP for user/group info (as configured through
nsswitch.conf), LDAP never plays into PAM, so you don't need pam_ldap
anywhere.
Two, I'm guessing this is debian? I've had issues making this work with
GSSAPI on lenny, and have an account section like this:
account sufficient pam_permit.so debug
account required pam_unix.so debug
I spent a great deal of time fighting this when we upgraded the couple
remaining debian machines here to lenny.
Others can most likely provide more help than that, just though I'd
mention the issue with the account section in case that ends up being a
problem for you.
--andy