On Tue, Aug 30, 2011 at 01:19:24PM -0400, Sam Harmon wrote:
I'm trying to configure a 389 instance to pass authentication to our Kerberos
server using the PAM Pass Through plugin. As far as I can tell, the authentication is
happening correctly in PAM, but it's getting refused by the 389 server. I've
included the relevant configurations and some log file snippets of an example
Has anyone seen a problem like this before? Do I have a problem in my configuration?
It looks as though you're missing a part of your PAM configuration. The
directory server log is indicating that the user failed the account
management portion of things ("Error from PAM during pam_acct_mgmt"),
and your PAM configuration doesn't appear to have any "account" modules
listed in it.
I'd suggest adding "account required pam_krb5.so" to the file, which
would both provide some configuration (so that the default, which is to
fail, isn't used) and let the module properly deny access when the
user's password has expired.