libpam-krb5 on Ubuntu 8.04 with MIT Kerberos and PKINIT
Douglas E. Engert
deengert at anl.gov
Thu May 15 14:13:57 EDT 2008
I was trying to get the PKINIT working on Ubuntu 8.04
which comes with:
libpam-krb5 3.10-1
krb5-pkinit 1.6.dfsg.3~beta1-2ubuntu1
I had to make a change to the libpam-krb5 auth.c to remove a test for
a bug that appears to be fixed in krb5-1.6.3 I just changed the #ifdef
to not include the call to clear out the opts structure.
--- ,auth.c 2007-12-28 23:42:52.000000000 -0600
+++ auth.c 2008-05-15 10:55:26.000000000 -0500
@@ -139,7 +139,7 @@
set_credential_options(struct pam_args *args, krb5_get_init_creds_opt *opts,
int service)
{
-#ifdef HAVE_KRB5_MIT
+#ifdef HAVE_KRB5_MIT_OLDER_THEN_1_6_3
/* Work around a bug in MIT Kerberos where allocating the credential
structure with opt_alloc doesn't initialize it. This workaround
will probably be removed eventually when the broken versions of 1.6
are obsolete.
We can't do this for Heimdal because it will destroy the private
structure in the allocated opt struct. */
krb5_get_init_creds_opt_init(opts);
#endif
Can you verify that the above code is not needed?
With the above change and change to /etc/pam.d/* and /etc/krb5.conf
I can get gdm and gnome-screensaver to use either a smart card or a password.
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list