root login via Kerberos5 - "User not known to the underlying authentication module" - why?

Wendy Lin wendlin1974 at gmail.com
Fri Apr 4 12:21:02 EDT 2014


On 24 March 2014 11:31, Wendy Lin <wendlin1974 at gmail.com> wrote:
> I am trying to allow user root (uid=0) to be authenticated via
> Kerberos5 at login time, too, but if I do I get a "User not known to
> the underlying authentication module" error and login is refused.
>
> OS is Suse 13.1
>
> pam config is:
> grep -r krb5 /etc/pam.d/
> /etc/pam.d/common-password-pc:password  sufficient      pam_krb5.so
> /etc/pam.d/common-account-pc:account    required        pam_krb5.so
>  use_first_pass
> /etc/pam.d/common-auth-pc:auth  sufficient      pam_krb5.so     use_first_pass
> /etc/pam.d/common-session-pc:session    optional        pam_krb5.so
>
> What am I doing wrong?

I found a solution for my problems, including that root didn't get krb5 tickets.
I swapped pam_krb5 and pam_unix in common-auth, resulting in:
------------------------------
cat /etc/pam.d/common-auth
auth    required        pam_env.so
auth    optional        pam_gnome_keyring.so
auth    sufficient      pam_krb5.so     try_first_pass
auth    sufficient      pam_unix.so     use_first_pass
auth    required        pam_deny.so

diff -u /etc/pam.d/common-auth.old /etc/pam.d/common-auth
auth    required        pam_env.so
auth    optional        pam_gnome_keyring.so
-auth    sufficient      pam_unix.so     try_first_pass
-auth    sufficient      pam_krb5.so     use_first_pass
+auth    sufficient      pam_krb5.so     try_first_pass
+auth    sufficient      pam_unix.so     use_first_pass
auth    required        pam_deny.so
------------------------------

Of course, I do not know why this suddenly works. Can someone explain
this? Why didn't it work when pam_unix came first?

Wendy


More information about the Kerberos mailing list