Bugzilla – Bug 156541
yast-krb5-client fails to add pam_krb5-module to pam.d/common-session
Last modified: 2006-04-24 11:46:07 UTC
When activating kerberos in yast, some changes to the pam-configuration are made. Unfortunately, yast forgets to add: session optional pam_krb.so As a result, no krb5-ticket is generated at login-time and user has to do 'kinit' afterwards. Please fix this. ---------------- In /etc/krb5.conf -> appdefaults->pam these extra settings would be fine: external = sshd use_shmem = sshd This is necessary to get full functionality at ssh login. Thanks, Reinhard
yast2-kerberos-client doesn't edit any file under /etc/pam.d. Michael, could you comment the /etc/krb5.conf proposal?
yast2-kerberos-client changes /etc/security/pam_unix2.conf and adds use_krb5 to auth, account and passwd BUT not session!
Adding use_krb5 to session in /etc/security/pam_unix2.conf has not the same effect as to add session optional pam_krb5.so to /etc/pam.d/common-session. I do not know why. Thorsten? The other two parameter might be a good idea for the future, but we are a little bit late for this feature now. See also Bug #154977: It also discusses the problem with no tickets after ssh login. This is more a bug in ssh than in pam or our pam configuration.
Michael, it's for you to decide what to do. Reassing back to me when it is clear. (btw, the report is for 10.0)
Well this bug is for 10.0 and adding new features is not possible. For Future versions we have Bug #154977. So let's close this with duplicate. But I think we need a solution from openssh team. So it will take some time to fix this. *** This bug has been marked as a duplicate of 154977 ***