On Sun, Oct 18, 2009 at 03:30:21PM -0000, Brian J. Murrell wrote:
> common-account:
> account       [success=2 new_authtok_reqd=done default=ignore]        
> pam_unix.so debug audit
> account       [success=1 default=ignore]      pam_ldap.so 

Where's the pam_deny line that was supposed to be here?

> account       required                        pam_permit.so
> account       required                        pam_krb5.so debug 
> minimum_uid=1000

> So to me that means that the pam_unix.so or pam_ldap.so have to be
> "success"ful causing a jump over the (first) pam_permit, otherwise this
> would all just work and I would not be filing this bug.

Your common-account does not match the system-managed file used by
pam-auth-update.  The jumps are supposed to jump *to* pam_permit, not *over*
it.

> That simply changing the pam_krb5 to pam_permit says to me that pam_krb5
> must be failing the account processing.

Sure, because you're skipping the line that's supposed to set the return
value for the stack (pam_permit).  pam_krb5 doesn't set the return value for
the stack when called for a non-Kerberos user, it returns PAM_IGNORE; and
jumps also don't set the return value for the stack.  You have to hit either
the pam_permit or the (missing) pam_deny line to set the stack's return
value.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slanga...@ubuntu.com                                     vor...@debian.org

** Changed in: libpam-krb5 (Ubuntu)
       Status: Incomplete => Invalid

-- 
pam-configs prevents root login with pam_unix
https://bugs.launchpad.net/bugs/454012
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to