Bug 508488
Summary: | 2.3.5-1 update causes auth failure for OS X clients | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ray Gibson <booray> |
Component: | pam_krb5 | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | booray, nalin |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-07-04 18:56:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ray Gibson
2009-06-27 19:19:03 UTC
(In reply to comment #0) > /etc/pam.d/netatalk: > #%PAM-1.0 > auth required pam_env.so > auth sufficient pam_ldap.so use_first_pass > auth sufficient pam_krb5.so use_first_pass > auth sufficient pam_unix.so This looks like a configuration problem. The 'use_first_pass' argument instructs a module to not prompt for a password, but to only try to authenticate the user using a password which was prompted for and given to libpam by a previously-called module. In this case, pam_unix is the only module that's being allowed to ask the user for a password, and it's being called after pam_ldap and pam_krb5 have already had their chance. I suspect that what you need to do instead is this: auth required pam_env.so auth sufficient pam_ldap.so auth sufficient pam_krb5.so use_first_pass auth sufficient pam_unix.so use_first_pass I think that'll fix the problem. Personally, I'd just move the pam_unix call first, or have netatalk use the default configuration (which among other things, is set up to never ask the network about "system" users such as root), but this should do. Unless there's another problem, I'm tempted to mark this as closed->worksforme. Hi Nalin, I definitely appreciate your time and comments. Please give me an additional 24 hours to follow your suggestion before you close; I will report back success as soon as possible. The default netatalk file didn't have krb or ldap in it, so I originally copied those lines out of another file. Thanks. Worked Great. Thanks. |