[Bug 558989] New: pam_krb5 does not accept windows style login domain
http://bugzilla.novell.com/show_bug.cgi?id=558989 http://bugzilla.novell.com/show_bug.cgi?id=558989#c0 Summary: pam_krb5 does not accept windows style login domain Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Samba AssignedTo: samba-maintainers@SuSE.de ReportedBy: dipeit@gmail.com QAContact: samba-maintainers@SuSE.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 GTB6 (.NET CLR 3.5.30729) we are using winbind and pam_mount for windows integration but we also need nfs home directories which are offered as kerberized nfs. pam_winbind does not seem to execute kinit, klist does not show the nfs upn after login. The only solution seems to be to add pam_krb5 (pam-config -a --krb5) to the pam configuration. # common-auth auth required pam_env.so auth sufficient pam_unix2.so auth sufficient pam_krb5.so use_first_pass auth required pam_winbind.so use_first_pass cpprojweb:/ # cat /etc/pam.d/xdm #%PAM-1.0 auth optional pam_mount.so auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session session optional pam_mount.so Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558989 http://bugzilla.novell.com/show_bug.cgi?id=558989#c1 --- Comment #1 from Di Pe <dipeit@gmail.com> 2009-11-28 07:45:05 UTC --- This pam configuration works well for ssh session but if users login via kdm they select the domain they want to login to and are unable to login (no error message comes up). Apparently pam_krb5 eats the backslash and is unable to identify the user name. Nov 27 22:47:55 cpprojweb kdm: :0[4497]: pam_krb5[4497]: pam_setcred (delete credential) called Nov 27 22:48:15 cpprojweb kdm: :0[5543]: pam_krb5[5543]: authentication fails for 'DOMAIN\user' (DOMAINuser@DOMAIN.ORG): User not known to the underlying authentication module (Client not found in Kerberos database) Nov 27 22:48:15 cpprojweb kdm: :0[5543]: pam_winbind(xdm:auth): getting password (0x00000390) Nov 27 22:48:15 cpprojweb kdm: :0[5543]: pam_winbind(xdm:auth): pam_get_item returned a password Nov 27 22:48:15 cpprojweb kdm: :0[5543]: pam_winbind(xdm:auth): user 'DOMAIN\user' granted access Nov 27 22:48:15 cpprojweb kdm: :0[5543]: pam_winbind(xdm:account): user 'user' granted access workaround: in /etc/sysconfig/displaymanager set DISPLAYMANAGER_AD_INTEGRATION="no" Several possible solutions: 1. abandon DISPLAYMANAGER_AD_INTEGRATION as a default in openSUSE. If smb.conf is properly configured the correct domain is automatically chosen and Linux users are not confused by the additional drop down list at login time. DISPLAYMANAGER_AD_INTEGRATION is actually only useful if people have multiple domains or use child domains 2. let pam_winbind execute a kinit so kerberized nfs mounts can be used without having to type kinit -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558989 http://bugzilla.novell.com/show_bug.cgi?id=558989#c5 Yang Bo <boyang@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID --- Comment #5 from Yang Bo <boyang@novell.com> 2010-02-26 02:28:25 UTC --- close it.. configuration error and wrong bash syntax.. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com