Pluggable Authentication Modules (Pam) - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 43. Securing Your Network
43.3.5.1. Troubleshooting
If you have followed the configuration steps above and Negotiate authentication is not working, you
can turn on verbose logging of the authentication process. This could help you find the cause of the
problem. To enable verbose logging, use the following procedure:
1. Close all instances of Firefox.
2. Open a command shell, and enter the following commands:
export NSPR_LOG_MODULES=negotiateauth:5
export NSPR_LOG_FILE=/tmp/moz.log
3. Restart Firefox from that shell, and visit the website you were unable to authenticate to earlier.
Information will be logged to /tmp/moz.log, and may give a clue to the problem. For example:
-1208550944[90039d0]: entering nsNegotiateAuth::GetNextToken()
-1208550944[90039d0]: gss_init_sec_context() failed: Miscellaneous failure
No credentials cache found
This indicates that you do not have Kerberos tickets, and need to run kinit.
If you are able to run kinit successfully from your machine but you are unable to authenticate, you
might see something like this in the log file:
-1208994096[8d683d8]: entering nsAuthGSSAPI::GetNextToken()
-1208994096[8d683d8]: gss_init_sec_context() failed: Miscellaneous failure
Server not found in Kerberos database
This generally indicates a Kerberos configuration problem. Make sure that you have the correct entries
in the [domain_realm] section of the /etc/krb5.conf file. For example:
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
If nothing appears in the log it is possible that you are behind a proxy, and that proxy is stripping off
the HTTP headers required for Negotiate authentication. As a workaround, you can try to connect to
the server using HTTPS instead, which allows the request to pass through unmodified. Then proceed
to debug using the log file, as described above.

43.4. Pluggable Authentication Modules (PAM)

Programs that grant users access to a system use authentication to verify each other's identity (that is,
to establish that a user is who they say they are).
Historically, each program had its own way of authenticating users. In Red Hat Enterprise Linux,
many programs are configured to use a centralized authentication mechanism called Pluggable
Authentication Modules (PAM).
PAM uses a pluggable, modular architecture, which affords the system administrator a great deal of
flexibility in setting authentication policies for the system.
642