Linux

使用“pam_krb5.so try_first_pass”時,klist 不返回任何票證

  • June 30, 2017

我們有

auth        optional      pam_krb5.so try_first_pass

/etc/pam.d/password-auth-ac 

/etc/pam.d/system-auth-ac

但是,當我在成功登錄後執行 klist 時,我得到

klist: No credentials cache found (filename: /tmp/nnnnn)

這可能是什麼原因?

身份驗證和會話堆棧:

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        required      pam_tally2.so deny=12 unlock_time=3600
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        optional      pam_krb5.so try_first_pass
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so



session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

發現會話堆棧中缺少 pam_krb5:

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     required      pam_krb5.so

添加session required pam_krb5.so解決了這個問題。

引用自:https://serverfault.com/questions/858638