Coy Hile <[EMAIL PROTECTED]> writes: > I'm using Russ' pam_krb5 implementation on Solaris, but I'm running into > issues when I'm trying to make it authenticate xscreensaver sessions. > The users authenticate correctly, but I see no new expiry times on the > TGT and other tickets (I'd expect the re-authentication to renew > existing creds, or if they're expired, acquire new ones.) > > An excerpt from my /etc/pam.conf is thus: > > xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay
If this one succeeds, nothing else runs. I don't know what it does, though. > xscreensaver auth requisite pam_authtok_get.so.1 > xscreensaver auth required pam_dhkeys.so.1 > xscreensaver auth required pam_unix_cred.so.1 > xscreensaver auth optional /krb5/lib/security/pam_krb5.so use_first_pass debug > xscreensaver auth required /krb5/lib/security/pam_afs_session.so debug nopag > xscreensaver auth optional pam_unix_auth.so.1 I think this lets someone authenticate without knowing the password at all, since both of your authentication modules are optional. You probably want: xscreensaver auth sufficient pam_unix_auth.so.1 xscreensaver auth required /krb5/lib/security/pam_krb5.so use_first_pass debug xscreensaver auth required /krb5/lib/security/pam_afs_session.so debug nopag Incidentally, you don't need nopag here. pam_afs_session is smart enough to know that it's being called to refresh credentials instead of establish new ones and won't create a new PAG. > When I lock the screen and then authenticate, I see the following > in syslog: > > Mar 6 21:04:59 ganymede xscreensaver[13110]: [ID 943423 user.error] KRB5: No > credentials cache file found while retrieving cerdentials That's not a pam_krb5 log message. If that's all you're seeing with the above configuration, I don't think pam_krb5 is ever being called. It should be logging considerably more information than that. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
