pam-krb5 2.6 released

Markus Moeller huaraz at moeller.plus.com
Thu Dec 14 15:16:10 EST 2006



"Christopher D. Clausen" <cclausen at acm.org> wrote in message 
news:E9BBFEF8121D40778CDFCE6D51ED15A0 at ad.uiuc.edu...
> >From the manual page:
> http://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html
>
> realm=<realm>
> "If the obtained credentials are supposed to allow access to a shell
> account, the user will need an appropriate .k5login file entry or the
> system will have to have a custom aname_to_localname mapping. "
>
> Do you have the appropriate entries in .k5login?  Or a custom
> aname_to_localname mapping (presumably in krb5.conf) ?
>
> <<CDC

That would be the second step after auth which  I didn't pass as pam_krb5 
never send an AS-REQ to DOMAIN2.COM's kdc

Markus


>
> Markus Moeller <huaraz at moeller.plus.com> wrote:
>> Russ,
>>
>> I have a setup where I have two domains with trust and would like to
>> have users from either domain to login to my Unix machine to
>> applications which can't use GSSAPI so I need to use pam_krb5 to have
>> some form of SSO. My Unix system is in DOMAIN1.COM which is
>> configured to be the default domain in krb5.conf . I configured pam
>> (on Solaris 2.8) as follows:
>>
>> #authentication
>> other auth sufficient      pam_krb5-2.6.so.1 minimum_uid=100 debug
>> other auth sufficient      pam_krb5-2.6.so.1 minimum_uid=100
>> realm=DOMAIN2.COM use_first_pass debug
>> other auth required       pam_unix.so.1 try_first_pass debug
>> # account
>> other account sufficient   pam_krb5-2.6.so.1 minimum_uid=100 debug
>> other account sufficient   pam_krb5-2.6.so.1 minimum_uid=100
>> realm=DOMAIN2.COM debug
>> other account required    pam_unix.so.1 debug
>> # session
>> other session required     pam_default.so.1 debug
>>
>> The problem I have is that despite setting the realm to DOMAIN2.COM
>> the system always tries to connect to kdcs of DOMAIN1.COM never
>> DOMAIN2.COM despite getting an unknown user from DOMAIN1 for users of
>> DOMAIN2 as it should be. It seems that the kerberos context of the
>> first pam_sm_authenticate call is still used for the second despite
>> changing the realm.
>>
>> Thanks
>> Markus
>>
>> BTW  Is it intention to use different defines for the below ?
>>
>> # grep KRB5_GET_INIT *.[ch]
>> config.h:/* #undef HAVE_KRB5_GET_INIT_OPT_SET_DEFAULT_FLAGS */
>> support.c:#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_DEFAULT_FLAGS
>> #
>>
>>
>> "Russ Allbery" <rra at stanford.edu> wrote in message
>> news:871wnnyy8j.fsf at windlord.stanford.edu...
>>> I'm pleased to announce release 2.6 of my Kerberos v5 PAM module.
>>> This is a bug-fix release; the feature improvements that were
>>> intended to be in this release have been deferred to the next
>>> release.
>>>
>>> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or
>>> Heimdal. It supports ticket refreshing by screen savers,
>>> configurable authorization handling, authentication of non-local
>>> accounts for network services, password changing, and password
>>> expiration, as well as all the standard expected PAM features.  It
>>> works correctly with OpenSSH, even with
>>> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
>>> supports configuration either by PAM options or in krb5.conf or
>>> both.
>>>
>>> Changes from previous release:
>>>
>>>    Don't assume the pointer set by pam_get_user is usable over the
>>>    life of the PAM module; instead, save a local copy.
>>>
>>>    Avoid a use of already freed memory when debugging is enabled.
>>>
>>>    Use __func__ instead of __FUNCTION__ and provide a fallback for
>>>    older versions of gcc and for systems that support neither.
>>>    Should fix compilation issues with Sun's C compiler.
>>>
>>>    On platforms where we know the appropriate compiler flags, try to
>>>    build the module so that symbols are resolved within the module in
>>>    preference to any externally available symbols.  Also add the
>>>    hopefully correct compiler flags for Sun's C compiler.
>>>
>>> You can download it from:
>>>
>>>    <http://www.eyrie.org/~eagle/software/pam-krb5/>
>>>
>>> Debian packages will be uploaded to Debian unstable once I have
>>> approval from the release managers.
>>>
>>> Please let me know of any problems or feature requests not already
>>> listed in the TODO file.
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list