search for: pam_krb5

...ive directory network. If I do a getent passwd, I see the users with a unix UID/GID. If use kinit, I can get a token. If I su to a user, it creates a home folder, and shows correct IDs etc. However the machine will not log in via ssh or the GUI. In secure I see: Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: ccache dir: /tmp Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: keytab: FILE:/etc/krb5.keytab Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: called to authenticate 'ipillion', realm 'MYDOMAIN.COM' Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: authenticating ...

...I'm not a list subscriber. I'm running a fairly recent -STABLE [1] and have installed the base Heimdal Kerberos implementation via the MAKE_KERBEROS5 knob in /etc/make.conf. I'm having the problem that I don't see a cached credential file being created in /tmp. I uncommented the pam_krb5 for login in /etc/pam.conf and adjusted it as follows: login auth sufficient pam_krb5.so try_first_pass debug login auth required pam_unix.so try_first_pass login account required pam_unix.so login password required pam_permit.so login session required...

Hi all, I am just after some opinions about the pros and cons of winbind compared to the 'standard' kerberos and ldap methods. I've have already got single sign on working with pam_krb5 and nss_ldap (using SASL/GSSAPI) against SBS 2003 (with MSSFU 3.0) using Debian Sarge as clients/'member servers', and integration of Samba is the next bit I'm looking at. The impressions I get are (corrections welcome): Winbind should be a bit simpler to set up than the pam/nss optio...

Hello Rowland, Sorry for the workgroup and realm name, I put MYDOMAIN to anonymize, should be : realm = MYDOMAIN.LOCAL workgroup = MYDOMAIN About libpam-krb5 installed, I have on my system : yum list krb5-workstation pam_krb5 krb5-workstation.x86_64 1.15.1-37.el7_6 @updates pam_krb5.x86_64 2.4.8-6.el7 @base Is pam_krb5 equivalent to libpam-krb5 on centos 7 ? > On 15/06/2019 01:40, eguigne--- via samba wrote: >> Dear Samba Users, >...

openssh-unix-dev at mindrot.org kerberos at ncsa.uiuc.edu We believe there is a security flaw in either OpenSSH and/or RedHat's pam_krb5 module. When a Kerberos principal has the REQUIRES_PWCHANGE (+needchange) flag set, OpenSSH+pam_krb5 will still successfully authenticate the user. Local 'su' and 'login' fail in this case which leads us to believe it's at least partially a problem with OpenSSH's PAM code....

First time poster so be kind :) I was looking at the pam_krb5.c code and noticed that for authentication to succeed getpwnam() has to succeed. Previously I had setup a web site using mod_auth_pam to authenticate against an active directory (AD) server using a pam config like: # auth auth required pam_krb5.so no_ccache no_warn # accoun...

Ok, so, things are complicated. The PAM standard insists on password aging being done after account authorization, which comes after user authentication. Kerberos can't authenticate users whose passwords are expired. So PAM_KRB5 implementations tend to return PAM_SUCCESS from pam_krb5:pam_sm_authenticate() and arrange for pam_krb5:pam_sm_acct_mgmt() to return PAM_NEW_AUTHTOK_REQD, as required by PAM even though the user can't be said to be authenticated at that point. The problem with this is that by the time pam_acct...

...onfiguring the pam.conf file, and there are significant differences between Solaris 9 and 10. For dovecot, I use the "other" service, in Solaris 9 pam.conf looks like: other auth sufficient /usr/lib/security/pam_unix.so.1 debug other auth sufficient /usr/lib/security/pam_krb5.so.1 try_first_pass debug other account optional /usr/lib/security/pam_unix.so.1 other account optional /usr/lib/security/pam_krb5.so.1 debug other session required /usr/lib/security/pam_unix.so.1 other session optional /usr/lib/security/pam_krb5.so.1 debug ot...

Greetings ... Have a question, was is the advantages of use pam_winbind verses pam_krb5 for Samba user authentaction? I mean, if I point my Linux box Kerberos to a Win2003 AD server, I am able to authenticate my users out of AD, but at the moment still having problems with winbind and nsswitch. Is there an advantage to using pam_winbind instead of pam_krb5? Mailed Lee

Hi, Just writing here my note about auth_default_realm, pam_krb5 and gssapi. It seems that 'pam' passdb and 'gssapi' auth_mechanism doesn't honor 'auth_default_realm' setting, at least in several setups I deal with. Here is a part of the config: passdb { args = max_requests=100 cache_key=%u%r dovecot driver = pam } auth_def...

CentOS Errata and Security Advisory 2008:0907 Moderate Upstream details at : https://rhn.redhat.com/errata/RHSA-2008-0907.html The following updated files have been uploaded and are currently syncing to the mirrors: ( md5sum Filename ) x86_64: 170d6bff250c6421af85fe945afac813 pam_krb5-2.2.14-1.el5_2.1.i386.rpm 52cd3e3625edcd04e98bef7f50c4e19d pam_krb5-2.2.14-1.el5_2.1.x86_64.rpm Source: 16d994e0703fd6e62b9984147c83d095 pam_krb5-2.2.14-1.el5_2.1.src.rpm -- Karanbir Singh CentOS Project { http://www.centos.org/ } irc: z00dax, #centos at irc.freenode.net

CentOS Errata and Bugfix Advisory 2010:0529 Upstream details at : https://rhn.redhat.com/errata/RHBA-2010-0529.html The following updated files have been uploaded and are currently syncing to the mirrors: x86_64: pam_krb5-2.1.17-8.el4_8.1.i386.rpm pam_krb5-2.1.17-8.el4_8.1.x86_64.rpm Source: pam_krb5-2.1.17-8.el4_8.1.src.rpm -- Karanbir Singh CentOS Project { http://www.centos.org/ } irc: z00dax, #centos at irc.freenode.net

CentOS Errata and Bugfix Advisory 2011:1016 Upstream details at : https://rhn.redhat.com/errata/RHBA-2011-1016.html The following updated files have been uploaded and are currently syncing to the mirrors: ( md5sum Filename ) x86_64: 3720267fe5df2bfb732084f67ecfc7c6 pam_krb5-2.2.14-21.el5.i386.rpm 2806603ba5624fbef4c756b058c971ad pam_krb5-2.2.14-21.el5.x86_64.rpm Source: 43949a067e3e815b9fff6d037772d420 pam_krb5-2.2.14-21.el5.src.rpm -- Karanbir Singh CentOS Project { http://www.centos.org/ } irc: z00dax, #centos at irc.freenode.net

with the following pam.conf entries, after being prompted for a login password the connection is closed: other auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass the system logs the error: sshd[4215]: fatal: input_userauth_info_response_pam: no authentication context if the pam.conf entry is changed to the following less than desirable entry: other auth sufficient /usr/l...

http://bugzilla.mindrot.org/show_bug.cgi?id=127 Summary: PAM with ssh authentication and pam_krb5 doesn't work properly Product: Portable OpenSSH Version: 3.0.2p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-un...

http://bugzilla.mindrot.org/show_bug.cgi?id=128 Summary: PAM with ssh authentication and pam_krb5 doesn't work properly Product: Portable OpenSSH Version: 3.0.2p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-un...

http://bugzilla.mindrot.org/show_bug.cgi?id=228 Summary: pam_krb5 on Solaris creates credentials with wrong owner Product: Portable OpenSSH Version: 3.1p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-un...

...#39;s GSSAPI patch. All the expected functionality seems to be there: I can ssh/scp/sftp via Kerberos tickets or local password. However, I seem to be getting a new error message in my logs: For Red Hat 7.3: Message from syslogd at gallifrey at Thu Oct 2 17:24:12 2003 ... gallifrey sshd[1758]: pam_krb5: authenticate error: Input/output error (5) And On Red Hat 9: Message from syslogd at k9 at Thu Oct 2 13:13:17 2003 ... k9 sshd[25855]: pam_krb5: authenticate error: Preauthentication failed (-1765328360) This occurs whether I am using a Kerberos ticket to get in or simply trying local passwor...

...already working.? I can SSH to the system, and I get > a proper ticket.? My only issue is that it doesn't refresh the ticket > before expiry when I ssh to a system.? I think I can script around > that and just not rely on winbind to do it. Why do you (seemingly) not want to install pam_krb5 ? you do not need a script with it. Rowland

http://bugzilla.mindrot.org/show_bug.cgi?id=563 Summary: getaddrinfo() in libopenbsd-compat.a breaks heimdal- linked pam_krb5 Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy:...