About pam

[Dominik Epple]

Hi list,

I have a problem with pam. While trying to setup authentication against
a kerberos server, I encountered the following problem.

If I modify /etc/pam.d/login to look like (very minimalistic)

auth            required        pam_unix.so             debug
account         required        pam_unix.so             debug

then login on the console (into an ordinary account in the /etc files)
is (still) working properly. However, if I change the line

auth            required        pam_unix.so             debug

to

auth            sufficient      pam_unix.so             debug
auth            required        pam_deny.so             debug

which should be completely equivalent to the replaced line, login fails.
In the log (/var/log/auth.log) I find

Nov  6 18:44:59 daemon login: login on ttyv0 as dominik
Nov  6 18:44:59 daemon login: in _openpam_check_error_code(): pam_sm_setcred(): unexpected return value 9
Nov  6 18:44:59 daemon login: pam_setcred(): authentication error

What is happening there? Am I doing something wrong? Or is this a bug?

Regards, Dominik.

PS. The system is freshly cvsup'd, compiled and installed.

My supfile contains '*default release=cvs tag=RELENG_5_3_0_RELEASE'.

'uname -a' says 'FreeBSD daemon.intranet 5.3-RELEASE FreeBSD
5.3-RELEASE #0: Sat Nov  6 16:50:02 CET 2004
root at daemon.intranet:/usr/obj/usr/src/sys/GENERIC  i386'.
--