Mailinglist Archive: opensuse (1188 mails)
| < Previous | Next > |
Re: [opensuse] pam and kerberos problem
- From: lynn <lynn@xxxxxxxxxxxx>
- Date: Fri, 20 Jan 2012 23:07:36 +0100
- Message-id: <4F19E5A8.7050309@steve-ss.com>
On 17/01/12 23:08, Andrew Colvin wrote:
Thanks for the reply. The only way I could get back in was by replacing the original pam.d. I've also now added sssd but that does not help. The problem with xscreensaver remains. I authenticate against Kerberos (with no mention of kerberos in pam.d) but xscreensaver does not seem to know anything about my Kerberos password or key or whatever they call it. No matter what I try, I can only unlock xscreensaver from a local account.
Anyone any ideas?
Thanks,
L x
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx
On Sunday 15 Jan 2012 09:04:36 lynn wrote:Hi
Hi everyoneThis shouldnt stop you loggin in and just affect setting passwords
I want to be able to unlock xscreensaver when authenticated against
Kerberos. The KDC is Samba 4 and I can logon fine to the domain.
I used Yast to add the pam_krb5 package and ran
pam-config -a --krb5
Now, only root can login in single mode.
/etc/pam.d/common-password before adding kerberos (works fine, but
cannot unlock xscreensaver):
password requisite pam_pwcheck.so nullok cracklib
password optional pam_gnome_keyring.so use_authtok
password sufficient pam_unix2.so use_authtok nullok
password required pam_ldap.so try_first_pass use_authtok
/etc/pam.d/common-password after adding krb5 (no one can login apart
from booting into single user):
password requisite pam_pwcheck.so nullok cracklib
password optional pam_gnome_keyring.so use_authtok
password [default=ignore success=1] pam_succeed_if.so uid> 999
quiet
password sufficient pam_unix2.so use_authtok nullok
password sufficient pam_krb5.so
password required pam_ldap.so try_first_pass use_authtok
I think it's something to do with this line:
password [default=ignore success=1] pam_succeed_if.so uid> 999
quiet
Does this mean that no user with a uid of less than 1000 will be able to
authenticate?
http://stick.gk2.sk/blog/2009/11/useradd-passwd-vs-kerberos/
What if I'm in a bar and the KDC is not available? I'mMake sure sssd is installed and running and this shouldnt be an issue as it
locked out of my local account. This is a laptop.
caches your credentials for offline use.
Your file is the same as mine except my pam_ldap is replaced with pam_sss.so
Thanks for the reply. The only way I could get back in was by replacing the original pam.d. I've also now added sssd but that does not help. The problem with xscreensaver remains. I authenticate against Kerberos (with no mention of kerberos in pam.d) but xscreensaver does not seem to know anything about my Kerberos password or key or whatever they call it. No matter what I try, I can only unlock xscreensaver from a local account.
Anyone any ideas?
Thanks,
L x
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx
| < Previous | Next > |