[OpenAFS] Openafs Client with pam krb5 and ldap
Andy Cobaugh
phalenor@gmail.com
Sat, 2 Oct 2010 09:48:18 -0400 (EDT)
On 2010-10-01 at 21:50, Russ Allbery ( rra@stanford.edu ) said:
> Russ Allbery <rra@stanford.edu> writes:
>
>> Oh, I understand now. pam_unix fails, and you were expecting pam_krb5
>> to return success (blindly) to counter pam_unix's failure, but since
>> pam_krb5 (correctly) returns PAM_IGNORE for users about which it has no
>> information, logins are failing because of the pam_unix failure. Or, if
>> you remove pam_unix, because all modules in the stack returned
>> PAM_IGNORE.
>
> Oh, and the other piece I forgot to mention: you saw this start happening
> in lenny because in etch pam-krb5 did blindly return PAM_SUCCESS if the
> user didn't log in with a password. This was changed in 3.11:
>
> pam_setcred, pam_open_session, and pam_acct_mgmt now return PAM_IGNORE
> for ignored users or non-Kerberos logins rather than PAM_SUCCESS.
> This return code tells the PAM library to continue as if the module
> were not present in the configuration and allows sufficient to be
> meaningful for pam-krb5 in account and session groups.
Yeah, I think I remember reading that.
On redhat, account uses pam_unix, pam_krb5, then pam_permit after running
authconfig and telling it to use ldap and /etc/passwd for authZ, and krb5
and /etc/shadow for authN, so I think pam_permit may be the right way to
go.
Thanks for clearing this up.
--andy