**SOLVED** Pam & Kerberos (MIT) Client failures

tommed · 2010-04-19 22:19:00

Hi Guys,

I have an Arch Linux server which is running mit kerberos 5.
I also have an Arch Linux machine which has pam_krb5 (from AUR) and heimdal.

I know I have configured the server and client correctly as kinit works and klist shows me the ticket created.

However I am having a problem logging in (a few times I have actually locked my self out of the machine and have had to boot into rw init=/bin/bash to revert the changes in /etc/pam.d/login).

I am confident the problems are with PAM; I'm not really sure how to set pam up to use pam_krb5.so? I followed the guide on the wiki (http://is.gd/bzO1Z) swapping pam_winbind.so with pam_krb5.so. (I swapped these as my server is an mit kerberos server and not Windows AD).

My /etc/pam.d/login looked like this:

#%PAM-1.0
auth         required    pam_krb5.so use_first_pass use_authtok
account    required    pam_krb5.so use_first_pass use_authtok
password required    pam_krb5.so use_first_pass use_authtok
session    required    pam_krb5.so use_first_pass use_authtok
#...(DEFAULT LINES WERE LEFT ALONE HERE)...

any ideas what I am doing wrong?

Last edited by tommed (2010-05-18 15:05:40)

premier · 2010-04-21 00:42:53

I think you have to put all of your auth/account/session/password statements grouped together. At least thats how I've always seen it.

ie

auth
auth
account
account
password
password
session
session

not

auth
account
password
session
auth
account
password
session

tommed · 2010-04-22 08:12:38

Thanks,
I managed to get it working. I basically have to tell pam that Kerberos login is sufficient, as is unix auth.
Here is the final PAM file... comments very welcome!

auth      sufficient   pam_unix.so nullok
auth      sufficient   pam_krb5.so use_first_pass no_user_check
account   sufficient   pam_unix.so
account   sufficient   pam_krb5.so no_user_check
password  sufficient   pam_krb5.so use_authtok no_user_check
password  sufficient   pam_unix.so md5 shadow use_authtok
session   required     pam_mkhomedir.so skel=/etc/skel/ umask=0022

I do however need a row in my passwd file for each account in my kerberos database (otherwise you have to switch to using ldap in nsswitch.conf, which I don't really want to do just yet).

Last edited by tommed (2010-04-22 08:13:50)

MatteusBlanc · 2014-04-30 06:47:00

Note to be careful with use of no_user_check. When I set it this way with a slim login I found that the cred cache was unreadable by the user who had logged in. It makes sense when you understand what that option does:

no_user_check
tells pam_krb5.so to not check if a user exists on the local system, to skip authorization checks using the user's .k5login file, and to create ccache files owned by the current process's UID. This is useful for situations where a non-privileged server process needs to use Kerberized services on behalf of remote users who may not have local access. Note that such a server should have an encrypted connection with its client in order to avoid allowing the user's password to be eavesdropped.
removing it solved the issue

ref https://bbs.archlinux.org/viewtopic.php?id=173400

Inxsible · 2014-04-30 16:58:01

MatteusBlanc, this thread was last posted in 4 years ago. Please do not necrobump threads as Archlinux changes quite frequently due to its rolling release nature.

Closing...

Arch Linux

#1 2010-04-19 22:19:00