Help: User login problems in NFS4 + Kerberos integration

Lee Eric openlinuxsource at gmail.com
Tue Oct 18 00:33:47 EDT 2011 

Sorry, I make it wrong.

/etc/pam.d/system-auth

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Eric

On Tue, Oct 18, 2011 at 11:41 AM, Russ Allbery <rra at stanford.edu> wrote:
> Lee Eric <openlinuxsource at gmail.com> writes:
>
>> Thanks mate. I use pam_afs_session and pam_krb5 this PAM module in the
>> client. The user who is using NFS can log in sometime or cannot due to
>> timeout. The client has to access NFS/OpenAFS both. So is there any
>> method to fix that? I will paste the PAM configurations here.
>
>> /etc/pam.d/system-auth
>
>> auth        required      pam_env.so
>> auth        sufficient    pam_fprintd.so
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>> auth        required      pam_deny.so
>
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> -session     optional      pam_systemd.so
>> session     [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session     required      pam_unix.so
>
> Just to state the obvious, you're not using either pam_krb5 or
> pam_afs_session here.
>
> --
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list