Summary: | sys-auth/pam_krb5-2.2.6-r1: kerberos password is not accepted | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Martin Mokrejš <mmokrejs> |
Component: | [OLD] Server | Assignee: | PAM Gentoo Team (OBSOLETE) <pam-bugs+disabled> |
Status: | RESOLVED INVALID | ||
Severity: | trivial | CC: | kerberos |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | pam_krb5-2.2.6-r1.ebuild |
Description
Martin Mokrejš
2006-07-10 15:05:09 UTC
Created attachment 91403 [details]
pam_krb5-2.2.6-r1.ebuild
This ebuild works on ~x86. The issue is I guess configuration problem and not problem with compilation process.
checking for krb5-config... /usr/bin/krb5-config
checking for krb4-config... :
configure: WARNING: krb4 not found
checking if pam_krb5 knows how to set AFS tokens on linux-gnu... yes
checking for main in -lresolv... yes
checking for KRB5_CFLAGS... -I/usr/include/heimdal
checking for KRB5_LIBS... -L/usr/lib -lkrb5 -lasn1 -lcom_err -lcrypto -lroken -lcrypt -ldl -lresolv -lpthread
checking sys/ioccom.h usability... no
checking sys/ioccom.h presence... no
checking for sys/ioccom.h... no
checking for inttypes.h... (cached) yes
checking for stdint.h... (cached) yes
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking security/pam_modules.h usability... yes
checking security/pam_modules.h presence... yes
checking for security/pam_modules.h... yes
checking security/pam_misc.h usability... yes
checking security/pam_misc.h presence... yes
checking for security/pam_misc.h... yes
checking for getpwnam_r... yes
checking for __posix_getpwnam_r... no
checking for crypt... no
checking for crypt in -lcrypt... yes
checking krb5.h usability... yes
checking krb5.h presence... yes
checking for krb5.h... yes
checking for krb_life_to_time... no
checking for krb_time_to_life... no
checking for krb5_init_secure_context... no
checking for krb5_free_unparsed_name... no
checking for krb5_free_default_realm... no
checking for krb5_set_principal_realm... no
checking for krb_in_tkt... no
checking for in_tkt... no
checking for krb_save_credentials... no
checking for save_credentials... no
checking whether error_message is declared... yes
checking com_err.h usability... yes
checking com_err.h presence... yes
checking for com_err.h... yes
checking et/com_err.h usability... yes
checking et/com_err.h presence... yes
checking for et/com_err.h... yes
checking whether krb5_os_localaddr is declared... no
checking whether krb5_os_hostaddr is declared... no
checking whether krb5_copy_addr is declared... no
checking whether krb5_get_all_client_addrs is declared... yes
checking for krb5_const_realm... yes
checking for krb5_creds.keyblock... no
checking for krb5_creds.session... yes
checking for krb5_keyblock.enctype... no
checking for krb5_keyblock.keytype... yes
checking for krb524_convert_creds_kdc... yes
checking for krb5_524_convert_creds... no
checking for krb524_convert_creds_kdc... (cached) yes
checking for dlopen... no
checking for dlopen in -ldl... yes
checking for pam_get_item... no
checking for pam_get_item in -lpam... yes
checking for misc_conv... no
checking for misc_conv in -lpam_misc... yes
Using "EXAMPLE.COM" as the default realm
Using "/tmp" to store ccache files
Using "FILE:/etc/krb5.keytab" as the default keytab
will link using "-Wl,-Bsymbolic" to reduce conflicts
checking for location to install module and helpers... modules in /lib/security, helpers in /lib/security/pam_krb5
configure: creating ./config.status
I have not tested it with heimdal, but it should be a configuration problem given that it is not specific to a particular service; btw in bug #134307 a user reported to have it working with heimdal. Some considerations: - the ignore_root option does not exist - why do you enable use_first_pass ? It inhibits a password request, trying to use instead one used in a module that comes earlier in the pam stack, in this case none afaics. Try removing it and see if it helps. Another possibility is using the "no_initial_prompt" option, which uses v5_get_creds and krb5_kuserok to do the auth (thus using .k5login). OK, the following setup works for me except the fact su asks first for kerberized password for root and the ignore_root option would be helpfull in this case while re-typing the password on the second prompt is treated as a local password so I can get in. However, this setup with heimdal-0.7.2-r2 works for user with TTY login, ssh login, xscreensaver-5.00. I had to remove the ~/.k5login which was only u+rw but still, in /var/log/messages I saw: Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: krb5_get_init_creds_password(krbtgt/DOMA@DOMA) returned 0 (Success) Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: got result 0 (Success) Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: account checks fail for 'mmokrejs@DOMA': user disallowed by .k5login file for 'mmokrejs' Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: authentication fails for 'mmokrejs' (mmokrejs@DOMA): Permission denied (Success) Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: pam_authenticate returning 6 (Permission denied) Maybe that was caused y the fact the file was user writable. Making it readable by everybody did not help and at least on kth-krb4 the .klogin file must not have been readable worldwide, so I don't think heimdal would allow that either. Anyway, my tested setup: # cat /etc/pam.d/system-auth #%PAM-1.0 auth required pam_env.so auth sufficient pam_krb5.so debug auth sufficient pam_unix.so likeauth nullok try_first_pass auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so # cat /etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so auth sufficient pam_krb5.so auth required pam_wheel.so use_uid auth include system-auth account include system-auth password include system-auth session include system-auth session required pam_env.so session optional pam_xauth.so Ok; I'll close this as INVALID then, since it was a configuration mistake. For those curious when user unlocks X11 session through xscreensaver with kerberos password his/her kerberos ticket is renewed. Also AFS tokens are renewed but it seems xscreensaver looks for krbtgt/cellname@REALM and afs/cellname@REALM in addition to krbtgt/REALM@REALM and afs@REALM. |