root login via Kerberos5 - "User not known to the underlying authentication module" - why?

Wendy Lin wendlin1974 at gmail.com
Fri Apr 4 12:57:17 EDT 2014


On 4 April 2014 18:54, Brandon Allbery <ballbery at sinenomine.net> wrote:
> On Fri, 2014-04-04 at 18:43 +0200, Wendy Lin wrote:
>> On 4 April 2014 18:29, Brandon Allbery <ballbery at sinenomine.net> wrote:
>> > On Fri, 2014-04-04 at 18:21 +0200, Wendy Lin wrote:
>> >> On 24 March 2014 11:31, Wendy Lin <wendlin1974 at gmail.com> wrote:
>> >> Of course, I do not know why this suddenly works. Can someone explain
>> >> this? Why didn't it work when pam_unix came first?
>> >
>> > Because root will always have a local account (required for the system
>> > to operate) and the "sufficient" designation means that authentication
>> > succeeds at that point without trying other authentication modules.
>>
>> But why did the other account (test001) had similar issues? Does it
>> mean I always have to use pam_krb5.so first?
>
> PAM configuration can be fairly complex, especially if you don't follow
> very simple rules like "local accounts are only authenticated locally".
> I suspect that your use case is best handled by always having pam_krb5
> first, but cannot be certain without more details.

So pam_unix.so only handles local users? How would a
/etc/pam.d/common-auth look like, in the case that both pam_unix.so
AND pam_krb5.so should be called, but failure of pam_krb5.so should be
ignored for users usr1, usr2, ...?

Wendy


More information about the Kerberos mailing list