[opensuse] Kerberos & system users
Hi all I am in the process of changing my OpenSUSE 11.3 system to use NFS4 and kerberos. Following http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.sec... I succeeded in seting up Kerberos - and user login based on kerberos now works perfectly. But I now have a problem that local system accounts in /etc/password no longer are able to login. This is a problem as this prevents cron to run as any other user that root. Trying to login or start a cronjob /var/log/messages reads: login[5261]: Ukendt bruger for det underliggende godkendelsesmodul I guess this is the same as: login[5261]: User not known to the underlying authentication module By using sudo su - [username] I can shift to the user account without problems. I guess I have to change something in pam.d to allow both types of login. But the pam system is unknown stuff for me.. Any ideas, pointers? -- Thanks Klaus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Just to answer my own question: Den 16-09-2011 22:35, Klaus Vink Slott skrev:
I am in the process of changing my OpenSUSE 11.3 system to use NFS4 and kerberos. [snip] ... user login based on kerberos now works perfectly.
But I now have a problem that local system accounts in /etc/password no longer are able to login. This is a problem as this prevents cron to run as any other user that root.
Comparing with a working system I found that in the pam file common-account-pc was missing the "ignore_unknown_principals" on the Kerberos line. The full line should read: account required pam_krb5.so use_first_pass ignore_unknown_principals I have no idea why the option was missing. Originally I modified pam by running "pam-config --add --krb5" The script must have failed, maybe I ran the script in wrong order - before the Kerberos libraries was installed. -- Have a nice weekend! Klaus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (1)
-
Klaus Vink Slott