pam_krb5 (Russ' implementation) question

Coy Hile coy.hile at coyhile.com
Thu Mar 6 21:37:10 EST 2008


Hi all,

I'm using Russ' pam_krb5 implementation on Solaris, but I'm running into
issues when I'm trying to make it authenticate xscreensaver sessions.  The
users authenticate correctly, but I see no new expiry times on the TGT and
other tickets (I'd expect the re-authentication to renew existing creds, or
if they're expired, acquire new ones.)

An excerpt from my /etc/pam.conf is thus:

xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay
xscreensaver auth requisite pam_authtok_get.so.1
xscreensaver auth required pam_dhkeys.so.1
xscreensaver auth required pam_unix_cred.so.1
xscreensaver auth optional /krb5/lib/security/pam_krb5.so use_first_pass debug
xscreensaver auth required /krb5/lib/security/pam_afs_session.so debug nopag
xscreensaver auth optional pam_unix_auth.so.1
xscreensaver account requisite pam_roles.so.1
xscreensaver account required pam_unix_account.so.1
xscreensaver session required pam_unix_session.so.1
xscreensaver password required pam_dhkeys.so.1
xscreensaver password requisite pam_authtok_get.so.1
xscreensaver password requisite pam_authtok_check.so.1
xscreensaver password required pam_authtok_store.so.1


When  I lock the screen and then authenticate, I see the following
in syslog:

Mar  6 21:04:59 ganymede xscreensaver[13110]: [ID 943423 user.error] KRB5: No 
credentials cache file found while retrieving cerdentials


(Perhaps the above error in syslog happened when the creds were expired?)
How should I tweak the PAM stack to gain my desired behaviour?

Thanks,

-- 
Coy Hile
coy.hile at coyhile.com
"Unarmed combat is what we enter into when we have been foolish enough
not to have a weapon; careless enough to lose our weapon, or unlucky
enough to have broken our weapon"



More information about the Kerberos mailing list