Using the default /etc/pam.d/system-auth shown below, authentication succeeds but account fails for pam logins: ------------------------------------------------------------------------------ auth required pam_env.so auth [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass auth required pam_unix.so try_first_pass likeauth nullok auth optional pam_permit.so account [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow session required pam_limits.so session required pam_env.so session [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass session required pam_unix.so session optional pam_permit.so ------------------------------------------------------------------------------ The updated config below works when pam_krb5 is installed and also when it is removed. The critical line appears to be: account sufficient pam_krb5.so ignore_root try_first_pass ------------------------------------------------------------------------------ auth required pam_env.so auth sufficient pam_krb5.so ignore_root try_first_pass auth required pam_unix.so try_first_pass likeauth nullok auth optional pam_permit.so account sufficient pam_krb5.so ignore_root try_first_pass account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_krb5.so ignore_root try_first_pass password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow session required pam_limits.so session required pam_env.so session optional pam_krb5.so ignore_root try_first_pass session required pam_unix.so session optional pam_permit.so ------------------------------------------------------------------------------ Reproducible: Always Steps to Reproduce: 1. Install a working app-crypt/mit-krb5 installation - verified using ssh with "KerberosAuthentication yes" and "GSSAPIAuthentication yes" 2. Install pam_krb5 3. Attempt to authenticate using pam_krb5 (tested for ssh and lftp). Logs show successful authentication but account fails. Actual Results: Authentication failed when using pam_krb5 based authentication even with a valid pam_unix account. When using in-built kerberos functionality such as that in sshd kerberos authentication continued to work. Expected Results: Once /etc/pam.d/system-auth was changed to include: account sufficient pam_krb5.so ignore_root try_first_pass Authentication worked as normal once again. My /etc/krb5.conf: [libdefaults] ticket_lifetime = 1d default_realm = THEHAVENNET.ORG.UK default_tkt_enctypes = aes256-cts-hmac-sha1-96 default_tgs_enctypes = aes256-cts-hmac-sha1-96 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac forwardable = true [realms] THEHAVENNET.ORG.UK= { kdc = saratoga.thehavennet.org.uk:88 admin_server = saratoga.thehavennet.org.uk:749 } [domain_realm] .thehavennet.org.uk = THEHAVENNET.ORG.UK thehavennet.org.uk = THEHAVENNET.ORG.UK [logging] kdc = SYSLOG admin_server = SYSLOG default = SYSLOG
Your account chain is not valid to actually be used as default as it'll be IGNORING anything else beside Kerberos if it's not in chain. Can I ask you to test a different situation? account [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass account required pam_unix.so account optional pam_permit.so
I can confirm that the change below works when applied to the default system-auth file. Tested against vsftp and sshd. Regards Simon > Can I ask you to test a different situation? > > account [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass > account required pam_unix.so > account optional pam_permit.so
Give me time to get lunch and I'll release a fixed pambase.
Fixed in pambase-20100819, thanks!
