From owner-freebsd-questions@FreeBSD.ORG Mon May 9 15:53:23 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04BF216A4E8 for ; Mon, 9 May 2005 15:53:23 +0000 (GMT) Received: from web50408.mail.yahoo.com (web50408.mail.yahoo.com [206.190.38.73]) by mx1.FreeBSD.org (Postfix) with SMTP id 6083C43DAA for ; Mon, 9 May 2005 15:53:22 +0000 (GMT) (envelope-from dsobiera@yahoo.com) Received: (qmail 89402 invoked by uid 60001); 9 May 2005 15:53:21 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=KE/DxNQnDlvmxkM0rnhLpKnl5dk9tmzSSIWiFRMS7D/Ei0BuF2B7v3GElJNlaiHmzA++DQ9sUJ7k5aj9Wc0UQHIxzoioT+oZ8Aqsl8bn3RmGJYnEKSn5q9v/Vw8klhsnlI8vv+UpqN8aYwq+6ZbTfhHKWS5DE3I0xH+tR12ZMZw= ; Message-ID: <20050509155321.89400.qmail@web50408.mail.yahoo.com> Received: from [149.169.99.83] by web50408.mail.yahoo.com via HTTP; Mon, 09 May 2005 08:53:21 PDT Date: Mon, 9 May 2005 08:53:21 -0700 (PDT) From: Damian Sobieralski To: freebsd-questions@freebsd.org In-Reply-To: <20050506040544.3DFFE16A4D3@hub.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Kerberos X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2005 15:53:23 -0000 Anyone? Message: 20 Date: Thu, 5 May 2005 15:26:11 -0700 (PDT) From: Damian Sobieralski Subject: Re: Kerberos To: freebsd-questions@freebsd.org Message-ID: <20050505222611.56762.qmail@web50401.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii > PAM does not map well to Kerberos, unfortunately. Generally speaking > you want to avoid PAM with Kerberos if you can possibly use native > Kerberos > :-) It seems my ignorance is kicking in here- how would they log into the machine first, to issue "kinit"/native if I don't use PAM to get them INTO the machine? > I haven't used pam_krb5 in a long time, but perhaps I can help debug > things. Can you post your PAM configure for however it is that you're > logging in? (SSH, local console, kerberos telnet, etc). The ccache= > option to the PAM module looks applicable, for example. I just modified the /etc/pam.d/sshd file (only using kerberos for sshd): # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_login_access.so account required pam_unix.so # session session required pam_permit.so # password password required pam_unix.so no_warn try_first_pass I wasn't using ccache but I looked it up and tried. I put in a goofy filename and when I do a kdestory, logout, log back in and do a klist, I don't see my weird filename. It still is looking for /tmp/krbcc_ one. auth sufficient pam_krb5.so no_warn try_first_pass ccache=/tmp/bubba_u%u_p%p When I log in via pam and ssh, with this change shouldn't I see from klist /tmp/bubba_u... as my ticket error not the no ticket found with the /tmp/kbrcc ?