"Markus Moeller" writes:

> I have a problem with pam_sm_setcred when authenticating non local users. I
> have in my pam file the following
>
> application auth required pam-krb5-3.9 no_ccache
> application account required pam-krb5-3.9 no_ccache
> application session required pam_dummy
>
> to authenticate users of an application with Kerberos. Unfortunatly the
> application uses also a pam_setcred and pam_sm_open/close_session calls
> and pam_sm_setcred fails because in pam_sm_setcred the pamret =
> pamk5_context_fetch(args) call fails and sets the return code to 24
> (Module specific data not found). You nicely jump over getpwnam when
> no_ccache is selected but I think in the case of no_ccache a failure of
> pamk5_context_fetch shouldn't be fatal.
>
> Can this be changed in the next release ?


Yeah, I think this was actually an accident caused by other changes. I
used to initialize the PAM return value to success. I think this patch
will do what you want and is correct. It'll be in the next release.

=== modified file 'api-auth.c'
--- api-auth.c 2007-09-30 08:33:55 +0000
+++ api-auth.c 2007-12-03 19:29:09 +0000
@@ -476,8 +476,10 @@
}

/* If configured not to create a cache, we have nothing to do. */
- if (args->no_ccache)
+ if (args->no_ccache) {
+ pamret = PAM_SUCCESS;
goto done;
+ }

/*
* Reinitialization requested, which means that rather than creating a new

--
Russ Allbery (rra@stanford.edu)