[opensuse] pam and kerberos problem
Hi everyone I want to be able to unlock xscreensaver when authenticated against Kerberos. The KDC is Samba 4 and I can logon fine to the domain. I used Yast to add the pam_krb5 package and ran pam-config -a --krb5 Now, only root can login in single mode. /etc/pam.d/common-password before adding kerberos (works fine, but cannot unlock xscreensaver): password requisite pam_pwcheck.so nullok cracklib password optional pam_gnome_keyring.so use_authtok password sufficient pam_unix2.so use_authtok nullok password required pam_ldap.so try_first_pass use_authtok /etc/pam.d/common-password after adding krb5 (no one can login apart from booting into single user): password requisite pam_pwcheck.so nullok cracklib password optional pam_gnome_keyring.so use_authtok password [default=ignore success=1] pam_succeed_if.so uid > 999 quiet password sufficient pam_unix2.so use_authtok nullok password sufficient pam_krb5.so password required pam_ldap.so try_first_pass use_authtok I think it's something to do with this line: password [default=ignore success=1] pam_succeed_if.so uid > 999 quiet Does this mean that no user with a uid of less than 1000 will be able to authenticate? What if I'm in a bar and the KDC is not available? I'm locked out of my local account. This is a laptop. Ahhgghh!! Thanks L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday 15 Jan 2012 09:04:36 lynn wrote:
Hi everyone I want to be able to unlock xscreensaver when authenticated against Kerberos. The KDC is Samba 4 and I can logon fine to the domain.
I used Yast to add the pam_krb5 package and ran pam-config -a --krb5
Now, only root can login in single mode.
/etc/pam.d/common-password before adding kerberos (works fine, but cannot unlock xscreensaver): password requisite pam_pwcheck.so nullok cracklib password optional pam_gnome_keyring.so use_authtok password sufficient pam_unix2.so use_authtok nullok password required pam_ldap.so try_first_pass use_authtok
/etc/pam.d/common-password after adding krb5 (no one can login apart from booting into single user): password requisite pam_pwcheck.so nullok cracklib password optional pam_gnome_keyring.so use_authtok password [default=ignore success=1] pam_succeed_if.so uid > 999 quiet password sufficient pam_unix2.so use_authtok nullok password sufficient pam_krb5.so password required pam_ldap.so try_first_pass use_authtok
I think it's something to do with this line: password [default=ignore success=1] pam_succeed_if.so uid > 999 quiet
Does this mean that no user with a uid of less than 1000 will be able to authenticate? This shouldnt stop you loggin in and just affect setting passwords http://stick.gk2.sk/blog/2009/11/useradd-passwd-vs-kerberos/
What if I'm in a bar and the KDC is not available? I'm locked out of my local account. This is a laptop.
Make sure sssd is installed and running and this shouldnt be an issue as it caches your credentials for offline use. Your file is the same as mine except my pam_ldap is replaced with pam_sss.so -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 17/01/12 23:08, Andrew Colvin wrote:
On Sunday 15 Jan 2012 09:04:36 lynn wrote:
Hi everyone I want to be able to unlock xscreensaver when authenticated against Kerberos. The KDC is Samba 4 and I can logon fine to the domain.
I used Yast to add the pam_krb5 package and ran pam-config -a --krb5
Now, only root can login in single mode.
/etc/pam.d/common-password before adding kerberos (works fine, but cannot unlock xscreensaver): password requisite pam_pwcheck.so nullok cracklib password optional pam_gnome_keyring.so use_authtok password sufficient pam_unix2.so use_authtok nullok password required pam_ldap.so try_first_pass use_authtok
/etc/pam.d/common-password after adding krb5 (no one can login apart from booting into single user): password requisite pam_pwcheck.so nullok cracklib password optional pam_gnome_keyring.so use_authtok password [default=ignore success=1] pam_succeed_if.so uid> 999 quiet password sufficient pam_unix2.so use_authtok nullok password sufficient pam_krb5.so password required pam_ldap.so try_first_pass use_authtok
I think it's something to do with this line: password [default=ignore success=1] pam_succeed_if.so uid> 999 quiet
Does this mean that no user with a uid of less than 1000 will be able to authenticate? This shouldnt stop you loggin in and just affect setting passwords http://stick.gk2.sk/blog/2009/11/useradd-passwd-vs-kerberos/
What if I'm in a bar and the KDC is not available? I'm locked out of my local account. This is a laptop.
Make sure sssd is installed and running and this shouldnt be an issue as it caches your credentials for offline use.
Your file is the same as mine except my pam_ldap is replaced with pam_sss.so
Hi Thanks for the reply. The only way I could get back in was by replacing the original pam.d. I've also now added sssd but that does not help. The problem with xscreensaver remains. I authenticate against Kerberos (with no mention of kerberos in pam.d) but xscreensaver does not seem to know anything about my Kerberos password or key or whatever they call it. No matter what I try, I can only unlock xscreensaver from a local account. Anyone any ideas? Thanks, L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Andrew Colvin -
lynn