Using kerberos with users in passwd

Timo Wendt twendt at
Mon May 28 05:05:38 EDT 2007


I am usingKerberos on Linux RHEL 5 in combination with the users in / 
etc/passwd. The user information is actually downloaded from an  
Active Directory via script. We used to have ldap in combination with  
Kerberos using PAM and nsswitch.conf. But the problem was, that no  
user information about these users wereavailable when the network  
wasn't working. This is no problem for users logging in via ssh, but  
we also want to provide application accounts via the ADS. Therefore  
we implemented the script solution.
No we have the problem with password changes. If I uses krb5 first in  
pam then we get kerberos errors for userts that are not in ADS like  
root. If we use the unix module first then it tries to change the  
password locally first which is not possible since the users have the  
"*" in file shadow file.
As it looks like, the kerberos module doesn't like the  
user_first_pass option which I thought was the solution for this.

Does anybody run a similar configuration and can help me out here? On  
HP-UX there is a PAM module which uses a file pam_users.conf. Via  
this file it is possible to change options for PAM modules based on  
the user. That way we are having krb5 in pam.conf first and for all  
local users we have an entry in pam_user.conf giving the krb5 module  
an ignore option. It couldn't find anything similar for Linux.


More information about the Kerberos mailing list