On Sunday 15 Jan 2012 09:04:36 lynn wrote:
Hi everyone I want to be able to unlock xscreensaver when authenticated against Kerberos. The KDC is Samba 4 and I can logon fine to the domain.
I used Yast to add the pam_krb5 package and ran pam-config -a --krb5
Now, only root can login in single mode.
/etc/pam.d/common-password before adding kerberos (works fine, but cannot unlock xscreensaver): password requisite pam_pwcheck.so nullok cracklib password optional pam_gnome_keyring.so use_authtok password sufficient pam_unix2.so use_authtok nullok password required pam_ldap.so try_first_pass use_authtok
/etc/pam.d/common-password after adding krb5 (no one can login apart from booting into single user): password requisite pam_pwcheck.so nullok cracklib password optional pam_gnome_keyring.so use_authtok password [default=ignore success=1] pam_succeed_if.so uid > 999 quiet password sufficient pam_unix2.so use_authtok nullok password sufficient pam_krb5.so password required pam_ldap.so try_first_pass use_authtok
I think it's something to do with this line: password [default=ignore success=1] pam_succeed_if.so uid > 999 quiet
Does this mean that no user with a uid of less than 1000 will be able to authenticate? This shouldnt stop you loggin in and just affect setting passwords http://stick.gk2.sk/blog/2009/11/useradd-passwd-vs-kerberos/
What if I'm in a bar and the KDC is not available? I'm locked out of my local account. This is a laptop.
Make sure sssd is installed and running and this shouldnt be an issue as it caches your credentials for offline use. Your file is the same as mine except my pam_ldap is replaced with pam_sss.so -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org