[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: (no subject)



Chris left for the day.  

There are two issues.  The first is that he does intend to run some sort of 
clock syncronization.  He wasn't simply because he is having trouble getting 
NTP to interoperate with Windows 2000.  We recognize that it is a prerequisite 
for Kerberos to work properly.

Nonetheless, it would be nice if the cause of authentication failure was more 
clear if it is a result of the clocks being out of sync.  This is mainly to 
assist in debugging issues where the user is having problems authenticating.

The PAM_ERROR fields seem to be an ideal place to provide such feedback to the 
calling application.

Thanks for pointing us in the right direction,

Devin Heitmueller
Senior Software Engineer
Netilla Networks Inc
732-764-8858 x211

> Clearly, PAM doesn't have a failure code that corresponds to the
> Kerberos
> 'clocks are out of sync' condition.  The two other ways available for
> PAM
> modules to return status information are PAM_INFO/PAM_ERROR messages
> sent
> using the PAM conversation function, and log messages recorded using
> syslog or
> an equivalent service.  Which you would use depends on who you want to
> see the
> information.
> 
> Attempting to base your system authentication on Kerberos without having
> synchronized clocks is going to cause no end of problems.  Indeed, if
> you look
> at the Kerberos documentation you'll find clock synchronization stated
> as a
> non-negotiable requirement.  Can I ask why it's not feasible for you to
> run
> some sort of time synchronization tool on this machine?
> 
> Regards,
> Steve Langasek
> postmodern programmer
> 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
> 
> 





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []