<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1287853511;
mso-list-type:hybrid;
mso-list-template-ids:-1298652046 1384388858 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:27.0pt;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Thanks. Changing /etc/pam.d/common-account from<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Courier New";
color:#1F497D'> account requisite pam_unix2.so<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Courier New";
color:#1F497D'> account required
pam_krb5.so use_first_pass</span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><br>
<br>
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>to<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Courier New";
color:#1F497D'> account required
pam_unix2.so<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>worked for me. Clearly Pam expect the ‘nx’ account
to exist on the domain. The above fixes this, though the above solution may not
be what some people want to do. A more elegant solution might be:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Courier New";
color:#1F497D'> account requisite
pam_unix2.so <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Courier New";
color:#1F497D'> account sufficient pam_succeed_if.so
uid < 500 quiet<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Courier New";
color:#1F497D'> account required
pam_krb5.so use_first_pass<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Sincerely,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoListParagraph style='margin-left:27.0pt;text-indent:-.25in;
mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>-<span
style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>henrik<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Terje Andersen
[mailto:terander@guard.zapto.org] <br>
<b>Sent:</b> Friday, May 25, 2007 11:28 AM<br>
<b>To:</b> freenx-knx@kde.org<br>
<b>Subject:</b> [30] Re: [FreeNX-kNX] Kerberos & FreeNX<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p>----- Melding fra henrik@stat.tamu.edu ---------<br>
Dato: Thu, 24 May 2007 11:06:37 -0500<br>
Fra: Henrik Schmiediche <henrik@stat.tamu.edu><br>
Svar-til: User Support for FreeNX Server and kNX Client
<freenx-knx@kde.org><br>
Emne: [FreeNX-kNX] Kerberos & FreeNX<br>
Til: 'User Support for FreeNX Server and kNX Client'
<freenx-knx@kde.org><br>
<br>
<br>
> Hello,<br>
><br>
> I am running FreeNX-0.5.0-25 & NX-1.5.0-73 on Suse 10.2. NX work fine
out of<br>
> the box with local or NIS account. When I enable Kerberos to do user<br>
> authentication (against a Windows domain) NX stops to function. The
command:<br>
><br>
<br>
Try to search this list for the topic "NX and PAM" from April 2007 -
think you might get some help from that.<br>
<br>
><br>
><br>
> results in an immediate closed connection. If I disable Kerberos<br>
> authentication then the above command works as it should and NX client<br>
> logins work. Note that I can ssh into the system and authenticate just
fine<br>
> when using ssh with Kerberos. The problem only appears when using NX.<br>
><o:p></o:p></p>
<p>NX logs in a user 'nx' via a ssh connection using ssh keys (NoMachine or
private generated) and when this is successfully established, the _actual_
authentication of the users executes/starts. <br>
IMHO you need to first allow the ssh-connection for the user 'nx', then use
Kerberos to authenticate the users from the AD-Domain. All this you control via
PAM.<o:p></o:p></p>
<p><br>
/Terje<o:p></o:p></p>
</div>
</body>
</html>