I have a problem with pam_sm_setcred when authenticating non local users. I
have in my pam file the following

application auth required pam-krb5-3.9 no_ccache
application account required pam-krb5-3.9 no_ccache
application session required pam_dummy

to authenticate users of an application with Kerberos. Unfortunatly the
application uses also a pam_setcred and pam_sm_open/close_session calls and
pam_sm_setcred fails because in pam_sm_setcred the pamret =
pamk5_context_fetch(args) call fails and sets the return code to 24 (Module
specific data not found). You nicely jump over getpwnam when no_ccache is
selected but I think in the case of no_ccache a failure of
pamk5_context_fetch shouldn't be fatal.

Can this be changed in the next release ?

Thank you

pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
struct context *ctx = NULL;
struct pam_args *args;
krb5_ccache cache = NULL;
char *cache_name = NULL;
int reinit = 0, status = 0;
int pamret, allow;
struct passwd *pw = NULL;
uid_t uid;
gid_t gid;

args = pamk5_args_parse(pamh, flags, argc, argv);
if (args == NULL) {
pamk5_error(NULL, "cannot allocate memory: %s", strerror(errno));
goto done;
pamret = pamk5_context_fetch(args);
ENTRY(args, flags);

* Special case. Just free the context data, which will destroy the
* ticket cache as well.
if (flags & PAM_DELETE_CRED) {
pamret = pam_set_data(pamh, "pam_krb5", NULL, NULL);
args->ctx = NULL;
goto done;

/* If configured not to create a cache, we have nothing to do. */
if (args->no_ccache)
goto done;

if (cache != NULL)
krb5_cc_destroy(ctx->context, cache);
if (cache_name != NULL)
EXIT(args, pamret);
return pamret;

"Russ Allbery" wrote in message
> I'm pleased to announce release 3.9 of pam-krb5.
> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
> It supports ticket refreshing by screen savers, configurable authorization
> handling, authentication of non-local accounts for network services,
> password changing, and password expiration, as well as all the standard
> expected PAM features. It works correctly with OpenSSH, even with
> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
> supports configuration either by PAM options or in krb5.conf or both.
> Changes from previous release:
> If use_authtok is set, fail even if we can retrieve the stored PAM
> password if that password is set to NULL. Apparently that can happen
> in some cases, such as with pam_cracklib. Thanks to Christian Holler
> for the diagnosis and a patch.
> Add a new clear_on_fail option for the password group. If set, when a
> password change fails, set PAM_AUTHTOK to NULL so that subsequent
> modules in the PAM stack with use_authtok set will also fail. Just
> returning failure doesn't abort the stack on the second pass when
> actual password changes are made. This is not the default since it
> interferes with other desirable PAM configurations. It's useful
> primarily when using the PAM stack to synchronize passwords between
> multiple environments. Thanks to Christian Holler and Tomas Mraz for
> the analysis.
> Fix portability issues with Heimdal, versions of PAM that don't
> provide pam_modutil_getpwnam, and compiler warnings when building
> PKINIT support. Thanks, Martin von Gagern.
> Fix parsing of the keytab PAM option. Thanks, Markus Moeller.
> Return PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR when unable to
> resolve the Kerberos realm. Thanks, Frank Cornelissen.
> Add a new debugging section to the README.
> You can download it from:
> Debian packages have been uploaded to Debian unstable.
> Please let me know of any problems or feature requests not already listed
> in the TODO file.
> --
> Russ Allbery (
> ________________________________________________
> Kerberos mailing list