Looks like the pam_krb5 rpm has not been updated to match the remake of krb5-1.1.1-16 releases. Login using pam_krb5 failed: login: PAM adding faulty module: /lib/security/pam_krb5.so
What are the contents of /etc/pam.d/login? Are there any messages preceding this line in /var/log/messages that would indicate what it is that's making the module faulty?
> Here is my previous /etc/pam.d/login which worked under > krb5-workstation-1.0.5: > > #%PAM-1.0 > auth required /lib/security/pam_securetty.so > auth required /lib/security/pam_nologin.so > auth sufficient /lib/security/pam_krb5.so > auth sufficient /lib/security/pam_pwdb.so shadow nullok > account required /lib/security/pam_pwdb.so > password required /lib/security/pam_cracklib.so > password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow > session required /lib/security/pam_pwdb.so > session optional /lib/security/pam_console.so > > And the updated /etc/pam.d/login (copied from /usr/doc/pam_krb5-1/pam.d/login): > > #%PAM-1.0 > auth required /lib/security/pam_securetty.so > auth required /lib/security/pam_nologin.so > auth sufficient /lib/security/pam_unix.so shadow md5 nullok likeauth > auth required /lib/security/pam_krb5.so use_first_pass > account required /lib/security/pam_unix.so > password required /lib/security/pam_cracklib.so > password required /lib/security/pam_unix.so shadow md5 nullok use_authtok > session required /lib/security/pam_unix.so > session optional /lib/security/pam_krb5.so > session optional /lib/security/pam_console.so > > Section of /var/log/message related to pam while logging in on the console: > > May 31 13:55:51 lnxhost login: PAM unable to dlopen(/lib/security/pam_krb5.so) > May 31 13:55:51 lnxhost login: PAM [dlerror: libkrbafs.so.1: cannot open > shared object file: No such file or directory] > May 31 13:55:51 lnxhost login: PAM adding faulty module: > /lib/security/pam_krb5.so > May 31 13:55:54 lnxhost PAM_unix[1878]: authentication > failure;LOGIN(uid=0) -> crn for login service > May 31 13:55:57 lnxhost login[1878]: FAILED LOGIN SESSION FROM (null) > FOR crn, Module is unknown > May 31 13:55:59 lnxhost login: PAM unable to > dlopen(/lib/security/pam_krb5.so) > May 31 13:55:59 lnxhost login: PAM [dlerror: libkrbafs.so.1: cannot open > shared object file: No such file or directory] > May 31 13:55:59 lnxhost login: PAM adding faulty module: > /lib/security/pam_krb5.so > May 31 13:56:03 lnxhost PAM_unix[1959]: authentication failure; > LOGIN(uid=0) -> crn for login service > > We don't use AFS here, so the message about missing libkrbafs.so is > expected, I suppose. > Remote klogin works okay, BTW. We've never shipped Kerberos 5 1.0.5. A problem loading the krbafs.so.1 shared library is what's causing the module to not load properly. Do you have the krbafs package installed?
> But when I tried to install krbafs.so from krbafs-1.0-3, > ldconfig gave me a warning and skipping over it: > > /sbin/ldconfig: warning: can't open /usr/lib/qt-2.0.1/lib > (No such file or directory), skipping > > can be found in qt-Xt-2.1.0 or qt-devel-2.1.0, > but no where can I find qt-2.0.1 on the CDs. Is it a typo or > I have to go back to version 2.0.1? No, but for some reason you still have /usr/lib/qt-2.0.1/lib listed in your /etc/ld.so.conf file. Open it up in a text editor and remove it.
Was this problem taken care of by installing the krbafs package? I can't reproduce in rawhide or 6.2 with the krbafs package installed on the system.
Resulution of this problem: 1) Install krbafs package to satify a reference for libkrbafs.so, even AFS is not in use. (Should it be put in dependence check for installing krb5?) 2) Remove /usr/lib/qt-2.0.1 in /etc/ld.so.conf if it appeared there. 3) Replace all files /etc/pam.d with those in /usr/doc/pam_krb-1/pam.d (One should be very careful about the wholesale changes if local modifications/policies were made.) 4) The kde pam file is missing in /usr/doc/pam_krb_1/pam.d, so one need to copy, say, /etc/pam.d/xdm to /etc/pam.d/kde. Now it works like a charm.
Looks like that solved it. The new authconfig/pam setup in Raw Hide should simplify enabling Kerberos 5 support (as well as making it much safer and easier to back it out) in subsequent releases.