|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
PAM, Listfile, Kerberos, and Login woes
From: Adam Parrish (waparris
ncsu.edu)
Date: Mon Dec 08 2003 - 14:53:47 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hey,
I have configured PAM for a system to allow people in a file in /etc/ to
login. This is similar to the realm kit configuration for those of you
who are at NCSU and use realm linux (its actually a copy of the file
referred to by pam_stack.so). Everything as far as allowing logins to
users works fine, anyone in my file in /etc/ can login. The root user
can also login. After a user that is disallowed from the system (not in
my listfile but is a valid kerberos user)attempts to login and gets
denied a different valid new user can not login until the login program
times out and restarts. I am baffled as to why this is happening.
The following is the contents of /etc/pam.d/login and the output from
/var/log/auth.log
auth sufficient pam_unix.so likeauth nullok debug
auth required pam_krb5.so use_first_pass debug
auth required pam_listfile.so item=user sense=allow
file=/etc/users.local
account sufficient pam_unix.so debug
account required pam_deny.so debug
password sufficient pam_unix.so nullok use_authtok md5 shadow
debug
password sufficient pam_krb5.so use_authtok debug
password required pam_deny.so debug
session required pam_limits.so debug
session required pam_unix.so debug
session optional pam_krb5.so debug
====
LOG
====
***THIS IS A VALID KERBEROS USER ATTEMPTING LOGIN ****
***THEY ARE NOT IN THE /etc/users.local file *********
Dec 8 15:47:25 fisher PAM_unix[21966]: authentication failure;
root(uid=0) -> mppetrov for login service
Dec 8 15:47:25 fisher login[21966]: pam_krb5: pam_sm_authenticate(login
mppetrov): entry:
Dec 8 15:47:25 fisher login[21966]: pam_krb5: verify_krb_v5_tgt():
krb5_kt_read_service_key(): No such file or directory
Dec 8 15:47:25 fisher login[21966]: pam_krb5: pam_sm_authenticate(login
mppetrov): exit: success
Dec 8 15:47:25 fisher login[21966]: PAM-listfile: Refused user mppetrov
for service login
Dec 8 15:47:28 fisher login[21966]: FAILED LOGIN (1) on `pts/3' FOR
`mppetrov', Authentication failure
**** HERE IS THE ATTEMPT DIRECTLY AFTERWARDS TO TRY TO ALLOW ****
**** A VALID USER IN ALL ASPECTS TO LOGIN, HE CAN LOGIN NORMALLY ****
**** IF HE GOES FIRST *****
Dec 8 15:47:35 fisher PAM_unix[21966]: authentication failure;
root(uid=0) -> waparris for login service
Dec 8 15:47:35 fisher login[21966]: pam_krb5: pam_sm_authenticate(login
waparris): entry:
Dec 8 15:47:35 fisher login[21966]: pam_krb5: verify_krb_v5_tgt():
krb5_kt_read_service_key(): No such file or directory
Dec 8 15:47:35 fisher login[21966]: pam_krb5: pam_sm_authenticate(login
waparris): pam_get_data(): ccache data already present
Dec 8 15:47:35 fisher login[21966]: pam_krb5: pam_sm_authenticate(login
waparris): exit: failure
Dec 8 15:47:37 fisher login[21966]: FAILED LOGIN (2) on `pts/3' FOR
`waparris', Authentication failure
Any input is welcome here, as I am out of ideas.
Cheers,
--
Adam Parrish
Asst. Linux Administrator
ECE Dept, North Carolina State University
Office: 919.515.0124
_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]