Using kerberos with users in passwd

Edgecombe, Jason jwedgeco at
Tue May 29 08:28:19 EDT 2007


We have RHEL5 with krb5 and a script-generated /etc/passwd file. We
don't encourage the use of passwd. We have an in-house script written to
change passwords because we have a legacy AFS kaserver still running
which is soon to be disabled. Our campus is going to a web-based
password changing tool to sync all passwords so I don't see using the
native passwd command much in our future.


Jason Edgecombe
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
Phone: (704) 687-3514

-----Original Message-----
From: kerberos-bounces at [mailto:kerberos-bounces at] On
Behalf Of Timo Wendt
Sent: Monday, May 28, 2007 5:06 AM
To: kerberos at
Subject: Using kerberos with users in passwd


I am usingKerberos on Linux RHEL 5 in combination with the users in / 
etc/passwd. The user information is actually downloaded from an  
Active Directory via script. We used to have ldap in combination with  
Kerberos using PAM and nsswitch.conf. But the problem was, that no  
user information about these users wereavailable when the network  
wasn't working. This is no problem for users logging in via ssh, but  
we also want to provide application accounts via the ADS. Therefore  
we implemented the script solution.
No we have the problem with password changes. If I uses krb5 first in  
pam then we get kerberos errors for userts that are not in ADS like  
root. If we use the unix module first then it tries to change the  
password locally first which is not possible since the users have the  
"*" in file shadow file.
As it looks like, the kerberos module doesn't like the  
user_first_pass option which I thought was the solution for this.

Does anybody run a similar configuration and can help me out here? On  
HP-UX there is a PAM module which uses a file pam_users.conf. Via  
this file it is possible to change options for PAM modules based on  
the user. That way we are having krb5 in pam.conf first and for all  
local users we have an entry in pam_user.conf giving the krb5 module  
an ignore option. It couldn't find anything similar for Linux.

Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list