Date: Sat, 3 Sep 2005 11:44:34 +0200 From: Stijn Hoop <stijn@win.tue.nl> To: freebsd-arch@freebsd.org Subject: pam_krb5 / pam_sm_setcred not getting called with PAM_ESTABLISH_CRED Message-ID: <20050903094434.GA852@pcwin002.win.tue.nl>
next in thread | raw e-mail | index | archive | help
--pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I'm debugging a problem on 5-STABLE where I've setup a KDC using Heimdal in the base system, and activated pam_krb5 in /etc/pam.d/sshd. It turns out that pam_krb5 does not establish the credential cache for the authenticated user. After reinstalling pam with DEBUG & PAM_DEBUG, it turns out that pam_sm_setcred is only called with PAM_REINITIALIZE_CRED as flags, and never with PAM_ESTABLISH_CRED, which is the only case for which a credential cache will be saved (in all other cases, PAM_SUCCESS is returned immediatel= y, which is why I don't have a cache). My questions: - is this due to my pam setup? I've used the default /etc/pam.d/ssh while uncommenting the pam_krb5 entries, and I've also tried having only pam_kr= b5 as being required for all types. Both setups did not make any difference. - shouldn't pam_krb5 re-establish the credential cache when called with PAM_REINITIALIZE_CRED, instead of just returning PAM_SUCCESS? I'm a total pam newbie so I'm going only by the name of the flag; I couldn't find a manpage that made the semantics of these flags more clear. --Stijn --=20 "What if everything you see is more than what you see -- the person next to you is a warrior and the space that appears empty is a secret door to anoth= er world? What if something appears that shouldn't? You either dismiss it, or = you accept that there is much more to the world than you think. Perhaps it real= ly is a doorway, and if you choose to go inside, you'll find many unexpected things." -- Shigeru Miyamoto --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDGXCCY3r/tLQmfWcRAmQBAKCNkjaFc0DCb1X/i++MCOGGk/EF9wCgi98f spyf8yojg3mUiwOA3LdfgvE= =ohry -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050903094434.GA852>