[OpenAFS] PAM authentication failed on SL6
huangql
huangql@ihep.ac.cn
Tue, 22 Oct 2013 17:38:53 +0800
Dear all,
I found the same PAM configuration doesn't work on SL6 (always works well on SL4 and SL5), and even the previleged account "root" can not login normally after we configure PAM to enabling AFS login.
Some specification as following:
Operating system: Scientific Linux release 6.4 (Carbon) 2.6.32-358.14.1.el6.x86_64
OpenAFS: openafs-1.4.15 without Kerberos 5
Cell name: ihep.ac.cn
# cat /etc/pam.d/login
#%PAM-1.0
auth sufficient pam_afs.so try_first_pass ignore_root setenv_password_expires
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so open
# cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_afs.so try_first_pass ignore_root setenv_password_expires
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account sufficient /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid quiet
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session required /lib/security/$ISA/pam_selinux.so close
session required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session required /lib/security/$ISA/pam_selinux.so open
session optional /lib/security/$ISA/pam_xauth.so
# cat /etc/pam.d/sshd
#%PAM-1.0
auth sufficient pam_afs.so try_first_pass ignore_root setenv_password_expires
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
#cat /etc/pam.d/sudo
#%PAM-1.0
auth sufficient pam_afs.so try_first_pass ignore_root setenv_password_expires
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account sufficient /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid quiet
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session required /lib/security/$ISA/pam_selinux.so close
session required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session required /lib/security/$ISA/pam_selinux.so open
session optional /lib/security/$ISA/pam_xauth.so
The questions stuck me for weeks. Does anyone get the same problem and could you give me some suggestions?
Thank you very much in advance.
Best Regards
Qiulan Huang
2013-10-22
====================================================================
Computing center,the Institute of High Energy Physics, China
Huang, Qiulan Tel: (+86) 10 8823 6010-105
P.O. Box 918-7 Fax: (+86) 10 8823 6839
Beijing 100049 P.R. China Email: huangql@ihep.ac.cn
===================================================================