# using kerberos5 with pam-login: authentication failed

## Way2Late

Hi lovely Gentoo-Community,

i have been around for years now but i am not very skilled with the linuxsystem but i love Gentoo and the most i love is YOU the great community behind it. The reason i do is simply the level questions are answered and treated here and of course the great wiki. After so many years this is the first time i am stuck with a problem google can't solve (for me) and i've decided to step out of the shadow and ask you directly:

I am not an expert with openafs and kerberos but i need it for my work and i followed http://en.gentoo-wiki.com/wiki/Kerberos_Authentication to get it to work.

I can successfully login via kinit and klog.krb5 and write into my directory but i can't login with pam:

login *******

```
Mar 29 19:24:09 zoq25 login[29563]: pam_tally2(login:auth): pam_get_uid; no such user

Mar 29 19:24:09 zoq25 login[29563]: pam_krb5(login:auth): pam_sm_authenticate: entry

Mar 29 19:24:09 zoq25 login[29563]: pam_krb5(login:auth): (user *******) attempting authentication as *******@PHYSNET.UNI-HAMBURG.DE

Mar 29 19:24:11 zoq25 login[29563]: pam_krb5(login:auth): user ******* authenticated as *******@PHYSNET.UNI-HAMBURG.DE

Mar 29 19:24:11 zoq25 login[29563]: pam_krb5(login:auth): pam_sm_authenticate: exit (success)
```

after that i have to reenter my password.

File: /etc/pam.d/system-auth                                                                              

```
auth            required        pam_env.so

auth            [success=1 default=ignore]      pam_krb5.so  ignore_root try_first_pass

auth            required        pam_unix.so try_first_pass likeauth nullok

auth            optional        pam_permit.so

account         [success=1 default=ignore]      pam_krb5.so  ignore_root try_first_pass

account         required        pam_unix.so

account         optional        pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password        [success=1 default=ignore]      pam_krb5.so  ignore_root try_first_pass

password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow

password        optional        pam_permit.so

session         required        pam_limits.so

session         required        pam_env.so

session         [success=1 default=ignore]      pam_krb5.so  ignore_root try_first_pass

session         required        pam_unix.so

session         optional        pam_permit.so
```

i am using:

```
sys-auth/pambase-20101024-r2  USE="consolekit cracklib pam_krb5 sha512 -debug -gnome-keyring -minimal -mktemp -pam_ssh -passwdqc (-selinux)"

sys-libs/pam-1.1.5  USE="berkdb cracklib nls -audit -debug -nis (-selinux) -test -vim-syntax"

sys-auth/pam_krb5-4.5

app-crypt/mit-krb5-1.9.2-r2  USE="keyutils pkinit threads -doc -openldap -test -xinetd"
```

emerge --info

```
Portage 2.1.10.49 (default/linux/amd64/10.0, gcc-4.5.3, glibc-2.13-r4, 3.2.12-gentoo x86_64)

=================================================================

System uname: Linux-3.2.12-gentoo-x86_64-Intel-R-_Core-TM-_i7-2600K_CPU_@_3.40GHz-with-gentoo-2.0.3

Timestamp of tree: Thu, 29 Mar 2012 12:30:01 +0000

app-shells/bash:          4.2_p20

dev-lang/python:          2.7.2-r3, 3.2.2

dev-util/cmake:           2.8.6-r4

dev-util/pkgconfig:       0.26

sys-apps/baselayout:      2.0.3

sys-apps/openrc:          0.9.8.4

sys-apps/sandbox:         2.5

sys-devel/autoconf:       2.68

sys-devel/automake:       1.11.1

sys-devel/binutils:       2.21.1-r1

sys-devel/gcc:            4.5.3-r2

sys-devel/gcc-config:     1.5-r2

sys-devel/libtool:        2.4-r1

sys-devel/make:           3.82-r1

sys-kernel/linux-headers: 3.1 (virtual/os-headers)

sys-libs/glibc:           2.13-r4

Repositories: gentoo

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=core2 -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"

CXXFLAGS="-march=core2 -O2 -pipe"

DISTDIR="/usr/portage/distfiles"

EMERGE_DEFAULT_OPTS="--jobs=8"

FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch parallel-install protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"

FFLAGS=""

GENTOO_MIRRORS="http://distfiles.gentoo.org"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

MAKEOPTS="-j9 -l8"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY=""

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="X acl amd64 berkdb bzip2 cli contrib cracklib crypt cups cxx dri fortran gdbm gpm gtk iconv ipod ipv6 kde kerberos mmx modules mp3tunes mudflap multilib ncurses nls nptl nptlonly openafs opengl openmp pam pam_krb5 pcre pppd qt3support qt4 readline semantic-desktop session sse sse2 ssl sysfs tcpd unicode utils xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
```

I have spend all my day in getting this to work and would really appreciate any kind of help in what i am missing. If you can't help me i am forced to use a preconfigured lucid-Ubuntu which can't be updated without destroying the afs-support.

Thanks a lot!

----------

