Proper use of pam_krb5 within system-auth to achieve SSO

Kizerian, Michael Michael.Kizerian at
Wed Nov 3 16:06:19 UTC 2004

Running FC2
*	kernel 2.6.5-1.358
*	krb5-workstation/libs/devel-1.3.3-1
*	pam-krb5-2.0.10-1
*	pam-0.77-40
*	samba-3.0.3-5
*	samba-common-3.0.3-5
*	samba-client-3.0.3-5
*	pam_smb-1.1.7-3.1

I would like to achieve a single-sign on, authenticating against AD (Win
Server 2003) and retrieving a Kerberos ticket, and pulling down user
groups.  I have the proper config files(Kerberos & Samba), but the error
seems to be in my system-auth module.  

The login bombs in 2 places on the Linux side
1.	After entering username
a.	pam_krb5: error resolving user name 'superman' to uid/gid pair
b.	pam_krb5: error getting information about 'superman'
2.	After entering password
a.	gdm-binary: Couldn't set acct. mgmt. for superman

On the Win2003 side, superman does authenticate via winbind, but there
exists no log showing a Kerberos request.

Also: I can retrieve tickets using kinit and superman/password
        getent passwd/group retrieves the users and groups on the AD
        wbinfo -u/-g retrieves the AD groups

Any ideas?

I appreciate any help/direction,

Mike Kizerian
michael.kizerian at <mailto:michael.kizerian at> 
mike.kizerian at

Here is my pam.d/system-auth file:
*This is a mixture of what the authentication applet creates and
suggestions I've found online.  Some of those suggestions have stated
that the login modules needs to manipulated, but since it calls the
system-auth module, I don't see why it would be necessary, if it is
please explain.
auth required
auth required
auth required use_first_pass
auth required use_first_pass likeauth nullok
auth required

account required
account required
account required

password required retry=3 type=
password sufficient nullok use_authok md5 shadow
password sufficient use_authok
password required

session required
session required
sessions sufficient

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list