pam and kerberos + xlock on Debian
Hallo,
I think you are the ones who can help me solve following problem.
On our faculty the people in charge of faculty computers decided
to migrate from /etc/{password,shadow} to kerberos. Passwords for
system accounts stay in /etc/password but all user auth should
be done through kerberos.
They use redhat linux, solaris, irix .... and everyhing runs
them just ok.
But me and my collegues and fellow students in the Natural Language
Laboratory run Debian.
We have pam + kerberos working with login, ssh, telnet, ftp,...
but not with xlock, xscreensaver and vlock.
(My observation is it doesn't work with programs that already run
under non-root uid.)
We have the following packages installed:
libkrb53 1.2.2-6
libpam-krb5 1.0-6
libpam-modules 0.72-9
libpam-runtime 0.72-9
libpam0g 0.72-9
krb5-config 1.1
krb5-user 1.2.2-6
and the /etc/pam.d/xlock file looks like:
auth sufficient pam_unix.so nullok
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
the /etc/pam.d/ssh (which works) looks like:
auth sufficient pam_unix.so nullok
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
auth required pam_env.so # [1]
account required pam_unix.so
session required pam_unix.so
session optional pam_lastlog.so # [1]
session optional pam_motd.so # [1]
session optional pam_mail.so standard # [1]
session required pam_limits.so
password required pam_unix.so
We have tried running the RH version of xlock,
compiled the pam kerberos module from RH, but nothing changed.
The only thing we haven't tried so far is replacing the Debian's
pam with the RH's.
Thanks for any advice.
--
Martin Povolný, xpovolny@fi.muni.cz, http://www.fi.muni.cz/~xpovolny
...one can now boot directly into emacs from LILO or GRUB,
and thus avoid the need for an operating system entirely... -- LWN
Reply to: