[389-users] PAM Pass Through- PAM succeeds but 389 fails?
Nalin Dahyabhai
nalin at redhat.com
Tue Aug 30 17:46:41 UTC 2011
On Tue, Aug 30, 2011 at 01:19:24PM -0400, Sam Harmon wrote:
> Hello,
>
> I'm trying to configure a 389 instance to pass authentication to our Kerberos server using the PAM Pass Through plugin. As far as I can tell, the authentication is happening correctly in PAM, but it's getting refused by the 389 server. I've included the relevant configurations and some log file snippets of an example authentication.
>
> Has anyone seen a problem like this before? Do I have a problem in my configuration?
It looks as though you're missing a part of your PAM configuration. The
directory server log is indicating that the user failed the account
management portion of things ("Error from PAM during pam_acct_mgmt"),
and your PAM configuration doesn't appear to have any "account" modules
listed in it.
I'd suggest adding "account required pam_krb5.so" to the file, which
would both provide some configuration (so that the default, which is to
fail, isn't used) and let the module properly deny access when the
user's password has expired.
HTH,
Nalin
More information about the 389-users
mailing list