root login via Kerberos5 - "User not known to the underlying authentication module" - why?
Wendy Lin
wendlin1974 at gmail.com
Fri Apr 4 12:21:02 EDT 2014
On 24 March 2014 11:31, Wendy Lin <wendlin1974 at gmail.com> wrote:
> I am trying to allow user root (uid=0) to be authenticated via
> Kerberos5 at login time, too, but if I do I get a "User not known to
> the underlying authentication module" error and login is refused.
>
> OS is Suse 13.1
>
> pam config is:
> grep -r krb5 /etc/pam.d/
> /etc/pam.d/common-password-pc:password sufficient pam_krb5.so
> /etc/pam.d/common-account-pc:account required pam_krb5.so
> use_first_pass
> /etc/pam.d/common-auth-pc:auth sufficient pam_krb5.so use_first_pass
> /etc/pam.d/common-session-pc:session optional pam_krb5.so
>
> What am I doing wrong?
I found a solution for my problems, including that root didn't get krb5 tickets.
I swapped pam_krb5 and pam_unix in common-auth, resulting in:
------------------------------
cat /etc/pam.d/common-auth
auth required pam_env.so
auth optional pam_gnome_keyring.so
auth sufficient pam_krb5.so try_first_pass
auth sufficient pam_unix.so use_first_pass
auth required pam_deny.so
diff -u /etc/pam.d/common-auth.old /etc/pam.d/common-auth
auth required pam_env.so
auth optional pam_gnome_keyring.so
-auth sufficient pam_unix.so try_first_pass
-auth sufficient pam_krb5.so use_first_pass
+auth sufficient pam_krb5.so try_first_pass
+auth sufficient pam_unix.so use_first_pass
auth required pam_deny.so
------------------------------
Of course, I do not know why this suddenly works. Can someone explain
this? Why didn't it work when pam_unix came first?
Wendy
More information about the Kerberos
mailing list