On Sun, Oct 18, 2009 at 03:30:21PM -0000, Brian J. Murrell wrote: > common-account: > account [success=2 new_authtok_reqd=done default=ignore] > pam_unix.so debug audit > account [success=1 default=ignore] pam_ldap.so
Where's the pam_deny line that was supposed to be here? > account required pam_permit.so > account required pam_krb5.so debug > minimum_uid=1000 > So to me that means that the pam_unix.so or pam_ldap.so have to be > "success"ful causing a jump over the (first) pam_permit, otherwise this > would all just work and I would not be filing this bug. Your common-account does not match the system-managed file used by pam-auth-update. The jumps are supposed to jump *to* pam_permit, not *over* it. > That simply changing the pam_krb5 to pam_permit says to me that pam_krb5 > must be failing the account processing. Sure, because you're skipping the line that's supposed to set the return value for the stack (pam_permit). pam_krb5 doesn't set the return value for the stack when called for a non-Kerberos user, it returns PAM_IGNORE; and jumps also don't set the return value for the stack. You have to hit either the pam_permit or the (missing) pam_deny line to set the stack's return value. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org ** Changed in: libpam-krb5 (Ubuntu) Status: Incomplete => Invalid -- pam-configs prevents root login with pam_unix https://bugs.launchpad.net/bugs/454012 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs