[OpenAFS] Openafs Client with pam krb5 and ldap
Andy Cobaugh
phalenor@gmail.com
Sat, 2 Oct 2010 00:14:56 -0400 (EDT)
On 2010-10-01 at 20:30, Russ Allbery ( rra@stanford.edu ) said:
>
> pam_permit of course fixes it because it basically disables the entire
> account stack. Just deleting everything out of the account stack would
> presumably also fix it.
The account stack needs /something/ in it or it fails completely.
> I wonder if pam_krb5 is a red herring here and what's actually failing is
> pam_unix. Do the accounts you're trying to log in as exist in
> /etc/shadow? Does it work if you remove pam_krb5 and only keep pam_unix?
> pam_unix does require all accounts be present in /etc/shadow.
These accounts exist through ldap, so no entries in /etc/shadow.
It fails in the same manner with just pam_krb5.
pam_krb5 and pam_permit together work. Is your pam_krb5 returning nothing
for pam_sm_acct_mgmt with gssapi ssh logins perhaps?
--andy