root login via Kerberos5 - "User not known to the underlying authentication module" - why?
Brandon Allbery
ballbery at sinenomine.net
Fri Apr 4 12:54:01 EDT 2014
On Fri, 2014-04-04 at 18:43 +0200, Wendy Lin wrote:
> On 4 April 2014 18:29, Brandon Allbery <ballbery at sinenomine.net> wrote:
> > On Fri, 2014-04-04 at 18:21 +0200, Wendy Lin wrote:
> >> On 24 March 2014 11:31, Wendy Lin <wendlin1974 at gmail.com> wrote:
> >> Of course, I do not know why this suddenly works. Can someone explain
> >> this? Why didn't it work when pam_unix came first?
> >
> > Because root will always have a local account (required for the system
> > to operate) and the "sufficient" designation means that authentication
> > succeeds at that point without trying other authentication modules.
>
> But why did the other account (test001) had similar issues? Does it
> mean I always have to use pam_krb5.so first?
PAM configuration can be fairly complex, especially if you don't follow
very simple rules like "local accounts are only authenticated locally".
I suspect that your use case is best handled by always having pam_krb5
first, but cannot be certain without more details.
--
brandon s allbery kf8nh sine nomine associates
allbery.b at gmail.com ballbery at sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
More information about the Kerberos
mailing list