su + pam-krb5 + alt_auth_map

kjl kjl at rzg.mpg.de
Tue Oct 1 09:16:37 EDT 2013


Hello!

when trying to replace "ksu" by "su" and "pam-krb5" I'm facing
some difficulties, if I configure "alt_auth_map=%s/root" (see below)
to use of the root instance account of the username. According to
the pam-krb5 manpage this should be possible.
In the Kerberos Log appears
"AS-REQ root/root at XXX from XXX ..."
instead of the expected "<user>/root" principal.
Perhaps someone can point me into the right direction how to solve this 
issue.

configuration:

/etc/pam.d/su
#%PAM-1.0
auth     sufficient     pam_rootok.so
auth     sufficient     pam_krb5.so alt_auth_map=%s/root only_alt_auth 
minimum_uid=0 debug
auth     include        common-auth
account  sufficient     pam_rootok.so
account  include        common-account
password include        common-password
session  include        common-session
session  optional       pam_xauth.so

SUSE Linux Enterprise Server 11 (x86_64)
pam-1.1.5-0.10.17
pam-krb5-4.6
 > rpm -qf /bin/su
coreutils-8.12-6.25.27.1

Thanks a lot in advance!

Karl


More information about the Kerberos mailing list