Package: libpam-krb5
Version: 2.6-1
Severity: normal
Removing my guest-user from /etc/shadow and
making all the pam-changes as stated in
/usr/share/doc/libpam-krb5/README.Debian
gives me:
[EMAIL PROTECTED]:~$ su guest
Password:
su: Authentication service cannot retrieve authentication info.
Sorry.
[EMAIL PROTECTED]:~$
local syslog:
calvin su[5997]: pam_acct_mgmt: Authentication service cannot retrieve
authentication info.
On the kerberos server:
gw krb5kdc[6574]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.10:
NEEDED_PREAUTH: [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED], Additional
pre-authentication
required
gw krb5kdc[6574]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.10: ISSUE:
authtime 1195849946, etypes {rep=16 tkt=16 ses=16}, [EMAIL PROTECTED] for
krbtgt/[EMAIL PROTECTED]
However, changing /etc/pam.d/common-account to
account sufficient pam_krb5.so minimum_uid=1000
account required pam_unix.so
makes su and all other pam-services work (ssh, login, etc.)
My understanding is that kerberos-authentication should replace
local authentication or am I getting this all wrong?
At least a few words explaining that would be helpful for
admins new to kerberos and pam ;-)
Thanx!
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages libpam-krb5 depends on:
ii krb5-con 1.16 Configuration files for Kerberos V
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-2 common error description library
ii libkrb53 1.4.4-7etch4 MIT Kerberos runtime libraries
ii libpam0g 0.79-4 Pluggable Authentication Modules l
libpam-krb5 recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
