Using kerberos with users in passwd
jwedgeco at uncc.edu
Tue May 29 08:28:19 EDT 2007
We have RHEL5 with krb5 and a script-generated /etc/passwd file. We
don't encourage the use of passwd. We have an in-house script written to
change passwords because we have a legacy AFS kaserver still running
which is soon to be disabled. Our campus is going to a web-based
password changing tool to sync all passwords so I don't see using the
native passwd command much in our future.
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
Phone: (704) 687-3514
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Timo Wendt
Sent: Monday, May 28, 2007 5:06 AM
To: kerberos at mit.edu
Subject: Using kerberos with users in passwd
I am usingKerberos on Linux RHEL 5 in combination with the users in /
etc/passwd. The user information is actually downloaded from an
Active Directory via script. We used to have ldap in combination with
Kerberos using PAM and nsswitch.conf. But the problem was, that no
user information about these users wereavailable when the network
wasn't working. This is no problem for users logging in via ssh, but
we also want to provide application accounts via the ADS. Therefore
we implemented the script solution.
No we have the problem with password changes. If I uses krb5 first in
pam then we get kerberos errors for userts that are not in ADS like
root. If we use the unix module first then it tries to change the
password locally first which is not possible since the users have the
"*" in file shadow file.
As it looks like, the kerberos module doesn't like the
user_first_pass option which I thought was the solution for this.
Does anybody run a similar configuration and can help me out here? On
HP-UX there is a PAM module which uses a file pam_users.conf. Via
this file it is possible to change options for PAM modules based on
the user. That way we are having krb5 in pam.conf first and for all
local users we have an entry in pam_user.conf giving the krb5 module
an ignore option. It couldn't find anything similar for Linux.
Kerberos mailing list Kerberos at mit.edu
More information about the Kerberos