root login via Kerberos5 - "User not known to the underlying authentication module" - why?
Brandon Allbery
ballbery at sinenomine.net
Fri Apr 4 13:08:57 EDT 2014
On Fri, 2014-04-04 at 18:57 +0200, Wendy Lin wrote:
> On 4 April 2014 18:54, Brandon Allbery <ballbery at sinenomine.net> wrote:
> > On Fri, 2014-04-04 at 18:43 +0200, Wendy Lin wrote:
> >> But why did the other account (test001) had similar issues? Does it
> >> mean I always have to use pam_krb5.so first?
> >
> > PAM configuration can be fairly complex, especially if you don't follow
> > very simple rules like "local accounts are only authenticated locally".
> > I suspect that your use case is best handled by always having pam_krb5
> > first, but cannot be certain without more details.
>
> So pam_unix.so only handles local users? How would a
> /etc/pam.d/common-auth look like, in the case that both pam_unix.so
> AND pam_krb5.so should be called, but failure of pam_krb5.so should be
> ignored for users usr1, usr2, ...?
It's ugly if you can't easily distinguish; you end up using a PAM module
that checks a userlist (pam_access, pam_listfile, ... --- note that it's
even worse if you need to consult an LDAP relation) and on success skips
to a separate part of the PAM config using the [success=skipcount] /
[failure=skipcount] syntax to conditionalize use of modules.
--
brandon s allbery kf8nh sine nomine associates
allbery.b at gmail.com ballbery at sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
More information about the Kerberos
mailing list