Sorry about how long it took me to investigate this report. "R. Scott Bailey" <[EMAIL PROTECTED]> writes:
> Package: libpam-krb5 > Version: 3.5-1.1 > Severity: normal > Don't panic over the version. :-) This is package 3.5-1 with some local > instrumenting added in an attempt to understand what is going on. > Documentation claims: > "If the username provided to PAM contains an "@" and Kerberos can, > treating the username as a principal, map it to a local account > name, pam_authenticate() will change the PAM user to that local > account name." > This does not actually happen, and I can't figure out why. I have > attached /var/log/auth.log excerpts of login attempts (with "debug" > option specified) -- my version adds a few extra lines of information so > you can see what is happening with canonicalize_name()... Also note > these attempts were via telnet on the loopback interface and not > OpenSSH, in case that makes a difference. Yes, it does. It turns out that OpenSSH doesn't support this at all. But that was only one problem. The other problem was that pam-krb5 was canonicalizing the user far too late and was using the uncanonicalized name in various other places. I'd not really tested this feature to the extent that I should have. I've now gone back and remedied that problem and fixed a variety of bugs in the feature and it should work properly in pam-krb5 3.6, which I hope to release later this evening. Thank you very much for your report and analysis! -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

