Using kerberos with users in passwd
twendt at online.de
Mon May 28 05:05:38 EDT 2007
I am usingKerberos on Linux RHEL 5 in combination with the users in /
etc/passwd. The user information is actually downloaded from an
Active Directory via script. We used to have ldap in combination with
Kerberos using PAM and nsswitch.conf. But the problem was, that no
user information about these users wereavailable when the network
wasn't working. This is no problem for users logging in via ssh, but
we also want to provide application accounts via the ADS. Therefore
we implemented the script solution.
No we have the problem with password changes. If I uses krb5 first in
pam then we get kerberos errors for userts that are not in ADS like
root. If we use the unix module first then it tries to change the
password locally first which is not possible since the users have the
"*" in file shadow file.
As it looks like, the kerberos module doesn't like the
user_first_pass option which I thought was the solution for this.
Does anybody run a similar configuration and can help me out here? On
HP-UX there is a PAM module which uses a file pam_users.conf. Via
this file it is possible to change options for PAM modules based on
the user. That way we are having krb5 in pam.conf first and for all
local users we have an entry in pam_user.conf giving the krb5 module
an ignore option. It couldn't find anything similar for Linux.
More information about the Kerberos