[36005] in Kerberos
Re: root login via Kerberos5 - "User not known to the underlying
daemon@ATHENA.MIT.EDU (Brandon Allbery)
Fri Apr 4 13:09:12 2014
From: Brandon Allbery <ballbery@sinenomine.net>
To: Wendy Lin <wendlin1974@gmail.com>
Date: Fri, 4 Apr 2014 17:08:57 +0000
Message-ID: <1396631337.16364.18.camel@vikktakkht.oh3.sinenomine.net>
In-Reply-To: <CA+j=ERrrmdYkRMbeKak5rmAp7HHfTSwRGrhZXprntRDvmtYytg@mail.gmail.com>
Content-Language: en-US
Content-ID: <E7A7F5C24A06184E918E99A9084E9BAF@mex05.mlsrvr.com>
MIME-Version: 1.0
Cc: Thorsten Kukuk <kukuk@thkukuk.de>, "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 2014-04-04 at 18:57 +0200, Wendy Lin wrote:
> On 4 April 2014 18:54, Brandon Allbery <ballbery@sinenomine.net> wrote:
> > On Fri, 2014-04-04 at 18:43 +0200, Wendy Lin wrote:
> >> But why did the other account (test001) had similar issues? Does it
> >> mean I always have to use pam_krb5.so first?
> >
> > PAM configuration can be fairly complex, especially if you don't follow
> > very simple rules like "local accounts are only authenticated locally".
> > I suspect that your use case is best handled by always having pam_krb5
> > first, but cannot be certain without more details.
>
> So pam_unix.so only handles local users? How would a
> /etc/pam.d/common-auth look like, in the case that both pam_unix.so
> AND pam_krb5.so should be called, but failure of pam_krb5.so should be
> ignored for users usr1, usr2, ...?
It's ugly if you can't easily distinguish; you end up using a PAM module
that checks a userlist (pam_access, pam_listfile, ... --- note that it's
even worse if you need to consult an LDAP relation) and on success skips
to a separate part of the PAM config using the [success=skipcount] /
[failure=skipcount] syntax to conditionalize use of modules.
--
brandon s allbery kf8nh sine nomine associates
allbery.b@gmail.com ballbery@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
