superfluous pam warnings when authenticating to 2 krb5 realms

Tue Nov 13 06:34:44 EST 2007

Hello,

I'm configuring a CentoS 4.3 to authenticate users via krb5 on two
separate realms.
Login is working fine but I'm seeing some messages from pam that I'd
like to get rid of.

Realms are DOMAINA.COM containing user testA and DOMAINB.COM
containing user testB.
Both users have been useradded to the CentOS server.

(Logging in as user testA on realm DOMAINA.COM)
  Nov 13 12:05:26 xxxxx sshd(pam_unix)[30270]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=testA
  Nov 13 12:05:27 xxxxx sshd[30270]: pam_krb5[30270]: authentication
succeeds for 'testA' (testA at DOMAINA.COM)
  Nov 13 12:05:27 xxxxx sshd(pam_unix)[30274]: session opened for user
testA by (uid=0)
  Nov 13 12:05:30 xxxxx sshd(pam_unix)[30274]: session closed for user
testA

(logging in as user testB on realm DOMAINB.COM)
  Nov 13 12:05:50 xxxxx sshd(pam_unix)[30308]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=testB
  Nov 13 12:05:50 xxxxx sshd[30308]: pam_krb5[30308]: authentication
fails for 'testB' (testB at DOMAINA.COM): User not known to the
underlying authentication module (Client not found in Kerberos
database)
  Nov 13 12:05:50 xxxxx sshd[30308]: pam_krb5[30308]: authentication
succeeds for 'testB' (testB at DOMAINB.COM)
  Nov 13 12:05:50 xxxxx sshd[30308]: pam_krb5[30308]: account checks
fail for 'testB': user is unknown
  Nov 13 12:05:50 xxxxx sshd(pam_unix)[30313]: session opened for user
testB by (uid=0)
  Nov 13 12:05:52 xxxxx sshd(pam_unix)[30313]: session closed for user
testB

Here are the contents of /etc/pam.d/system-auth. DOMAINA.COM is set up
as the default realm in /etc/krb5.conf.
  auth        required      /lib/security/$ISA/pam_env.so
  auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
nullok
  auth        [default=bad success=done user_unknown=ignore]    /lib/
security/$ISA/pam_krb5.so use_first_pass minimum_uid=1000
  auth        sufficient    /lib/security/$ISA/pam_krb5.so
use_first_pass realm=DOMAINB.COM minimum_uid=1000
  auth        required      /lib/security/$ISA/pam_deny.so

  account     required      /lib/security/$ISA/pam_unix.so
broken_shadow
  account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid <
100 quiet
  account     [default=bad success=done user_unknown=ignore] /lib/
security/$ISA/pam_krb5.so minimum_uid=1000
  account     sufficient    /lib/security/$ISA/pam_krb5.so
realm=DOMAINB.COM minimum_uid=1000
  account     required      /lib/security/$ISA/pam_permit.so

  password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
  password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
  password    [default=bad success=done user_unknown=ignore]    /lib/
security/$ISA/pam_krb5.so use_authtok minimum_uid=1000
  password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
realm=DOMAINB.COM minimum_uid=1000
  password    required      /lib/security/$ISA/pam_deny.so

  session     required      /lib/security/$ISA/pam_limits.so
  session     required      /lib/security/$ISA/pam_unix.so
  session     optional      /lib/security/$ISA/pam_krb5.so

So in the second case the system tries to authenticate user testB
first to DOMAINA.COM, then DOMAINB.COM (as configured) and
authentication in DOMAINA.COM fails because the testB account doesn't
exist there.
I'd like to avoid the pam_krb5 "authentication fails" and "account
checks fail" messages getting logged there if that's possible.

The pam_unix "authentication fails" messages are probably due to the
sytem first trying (and failing) to authenticate via the local passwd/
shadow before using Kerberos.
Is there any way to avoid this happening while still getting a
legitimate warning when someone fails to connect using a non-Kerberos
account?

Thanks in advance for your replies.