[OpenAFS] Openafs Client with pam krb5 and ldap

Andy Cobaugh phalenor@gmail.com
Fri, 1 Oct 2010 23:00:20 -0400 (EDT) 

On 2010-10-01 at 19:03, Russ Allbery ( rra@stanford.edu ) said:
>> account [default=ignore ignore=ignore success=ok]       pam_krb5.so debug
>
> That doesn't look like anything that would ever be generated by default
> and it isn't in the docs.  I wonder if that's causing your problem.  PAM
> stacks can sometimes do really strange things if you set ignore as the
> action and it's the last module in the stack.

Well, I didn't put it there, so something did. I've seen that line on 
systems that were originally lenny, and systems that were upgraded to 
lenny.

> account required        pam_unix.so
> account required        pam_krb5.so

Yep, putting exactly those lines in common-account gives 'Connection close 
by foo'. I'm fairly certain I tried every combination of requires, 
sufficient, etc to the same effect. Only thing that made it work was 
putting in a module that returns success always, like pam_permit.

> I have to assume there's something really screwy with how something on
> your systems is set up or something about the too-complex PAM
> configuration isn't working properly, since this just works out of the box
> with me with supposedly the same versions of everything.

Well, one system was installed with lenny to begin with, and for over a 
year we would have to do GSSAPIAuthentication=no to login to it, and the 
other 2 systems were upgraded to lenny, which subsequently broke gssapi 
logins in the same manner. Putting in pam_permit on all 3 systems fixed 
them.

Doesn't matter to us so much now, though. At least 2 of these systems will 
be reinstalled with RHEL6 when it comes out, and the third isn't used by 
anyone ssh'ing to it that can make use of gssapi, so...

If you have any other things you want me to try, I will for the sake of 
fixing whatever the real problem is, but no other system has this problem, 
only these lone debian lenny systems.

I should note that the 2 systems that were upgraded were working fine 
before they were bumped up to lenny. All 3 are running the same version of 
libpam-krb5, 3.11-4.

--andy