[36000] in Kerberos

home help back first fref pref prev next nref lref last post

Re: root login via Kerberos5 - "User not known to the underlying

daemon@ATHENA.MIT.EDU (Wendy Lin)
Fri Apr 4 12:21:23 2014

MIME-Version: 1.0
In-Reply-To: <CA+j=ERp_TppuNs1dPnrcNpeh4YAxZ3XY0EM5qBEVVcztakbRwQ@mail.gmail.com>
Date: Fri, 4 Apr 2014 18:21:02 +0200
Message-ID: <CA+j=ERqWot=DvBVuoebycKt7CVq4c7BE7E2RYE4dYPUVAh6Wtg@mail.gmail.com>
From: Wendy Lin <wendlin1974@gmail.com>
To: "<kerberos@mit.edu>" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On 24 March 2014 11:31, Wendy Lin <wendlin1974@gmail.com> wrote:
> I am trying to allow user root (uid=0) to be authenticated via
> Kerberos5 at login time, too, but if I do I get a "User not known to
> the underlying authentication module" error and login is refused.
>
> OS is Suse 13.1
>
> pam config is:
> grep -r krb5 /etc/pam.d/
> /etc/pam.d/common-password-pc:password  sufficient      pam_krb5.so
> /etc/pam.d/common-account-pc:account    required        pam_krb5.so
>  use_first_pass
> /etc/pam.d/common-auth-pc:auth  sufficient      pam_krb5.so     use_first_pass
> /etc/pam.d/common-session-pc:session    optional        pam_krb5.so
>
> What am I doing wrong?

I found a solution for my problems, including that root didn't get krb5 tickets.
I swapped pam_krb5 and pam_unix in common-auth, resulting in:
------------------------------
cat /etc/pam.d/common-auth
auth    required        pam_env.so
auth    optional        pam_gnome_keyring.so
auth    sufficient      pam_krb5.so     try_first_pass
auth    sufficient      pam_unix.so     use_first_pass
auth    required        pam_deny.so

diff -u /etc/pam.d/common-auth.old /etc/pam.d/common-auth
auth    required        pam_env.so
auth    optional        pam_gnome_keyring.so
-auth    sufficient      pam_unix.so     try_first_pass
-auth    sufficient      pam_krb5.so     use_first_pass
+auth    sufficient      pam_krb5.so     try_first_pass
+auth    sufficient      pam_unix.so     use_first_pass
auth    required        pam_deny.so
------------------------------

Of course, I do not know why this suddenly works. Can someone explain
this? Why didn't it work when pam_unix came first?

Wendy
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post