pam_krb5 (Russ' implementation) question
Coy Hile
coy.hile at coyhile.com
Thu Mar 6 21:37:10 EST 2008
Hi all,
I'm using Russ' pam_krb5 implementation on Solaris, but I'm running into
issues when I'm trying to make it authenticate xscreensaver sessions. The
users authenticate correctly, but I see no new expiry times on the TGT and
other tickets (I'd expect the re-authentication to renew existing creds, or
if they're expired, acquire new ones.)
An excerpt from my /etc/pam.conf is thus:
xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay
xscreensaver auth requisite pam_authtok_get.so.1
xscreensaver auth required pam_dhkeys.so.1
xscreensaver auth required pam_unix_cred.so.1
xscreensaver auth optional /krb5/lib/security/pam_krb5.so use_first_pass debug
xscreensaver auth required /krb5/lib/security/pam_afs_session.so debug nopag
xscreensaver auth optional pam_unix_auth.so.1
xscreensaver account requisite pam_roles.so.1
xscreensaver account required pam_unix_account.so.1
xscreensaver session required pam_unix_session.so.1
xscreensaver password required pam_dhkeys.so.1
xscreensaver password requisite pam_authtok_get.so.1
xscreensaver password requisite pam_authtok_check.so.1
xscreensaver password required pam_authtok_store.so.1
When I lock the screen and then authenticate, I see the following
in syslog:
Mar 6 21:04:59 ganymede xscreensaver[13110]: [ID 943423 user.error] KRB5: No
credentials cache file found while retrieving cerdentials
(Perhaps the above error in syslog happened when the creds were expired?)
How should I tweak the PAM stack to gain my desired behaviour?
Thanks,
--
Coy Hile
coy.hile at coyhile.com
"Unarmed combat is what we enter into when we have been foolish enough
not to have a weapon; careless enough to lose our weapon, or unlucky
enough to have broken our weapon"
More information about the Kerberos
mailing list