[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Problem with pam_krb5 and semicolons


We're trying to setup a RedHat 7.1 system to authenticate to Active
Directory. We have it authenticating alright but we're running into a
problem with some characters (two semicolons) that are being displayed after
the user has authenticated. While this is only a visual issue in telnet,
it's breaking pop3 and imap.

Here's a sample of telnetting to the pop3 port:

[root@tuna /etc]# telnet tuna pop3
Connected to tuna.gonzaga.edu (
Escape character is '^]'.
+OK POP3 tuna.gonzaga.edu v2000.69rh server ready
user testacct
+OK User name accepted, password please
pass xyzzy
;;+OK Mailbox open, 19 messages
+OK Sayonara
Connection closed by foreign host.


The two semicolons before the "+OK Mailbox open, 19 messages" are causing
the POP clients to fail. The same thing is happening in IMAP, ftp, telnet,
and after a successful login.

If we disable pam_krb5, we don't get these characters. We also don't get
these characters on our HP-UX system which is also authenticating to Active
Directory. The problem occurs if the shadow password and the Active
Directory password are the same, if they are different, or if the user has
no shadow password at all.

Here's our current krb5.conf file:

 default_realm = GUNET.GONZAGA.EDU
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
 default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc

  kdc = dc1-gunet.gunet.gonzaga.edu:88
  kpasswd_server = dc1-gunet.gunet.gonzaga.edu:464


Here's our current system-auth file:

#auth        required      /lib/security/pam_env.so
#auth        optional    /lib/security/pam_unix.so likeauth nullok md5
#auth        required    /lib/security/pam_krb5.so
auth        optional    /lib/security/pam_unix.so nullok md5 shadow
auth        sufficient    /lib/security/pam_krb5.so
#auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
password    sufficient    /lib/security/pam_krb5.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
#session     optional      /lib/security/pam_krb5.so


If there are any hints that you can provide, that would be great. I'm pretty
new to PAM, Kerberos, and Active Directory so this is all pretty strange to


Greg Francis
Unix System Administrator
Central Computing, Gonzaga University
francis@its.gonzaga.edu, 509-323-6896

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []