Using kerberos with users in passwd

Timo Wendt twendt at
Tue May 29 15:08:10 EDT 2007


thanks fo ryour answer.
What happens when someone logs in and his password is expired? ssh  
will ask for the password to be changed.
I already had the idea of using kpasswd for the AD users, but this  
doesn't solve my problem with expired passwords at login.
Do you also have local and krb users in you passwd and some have the  
password in shadow and others via krb5?


Am 29.05.2007 um 14:28 schrieb Edgecombe, Jason:

> Hi,
> We have RHEL5 with krb5 and a script-generated /etc/passwd file. We
> don't encourage the use of passwd. We have an in-house script  
> written to
> change passwords because we have a legacy AFS kaserver still running
> which is soon to be disabled. Our campus is going to a web-based
> password changing tool to sync all passwords so I don't see using the
> native passwd command much in our future.
> Sincerely,
> Jason
> Jason Edgecombe
> Solaris & Linux Administrator
> Mosaic Computing Group, College of Engineering
> UNC-Charlotte
> Phone: (704) 687-3514
> -----Original Message-----
> From: kerberos-bounces at [mailto:kerberos-bounces at] On
> Behalf Of Timo Wendt
> Sent: Monday, May 28, 2007 5:06 AM
> To: kerberos at
> Subject: Using kerberos with users in passwd
> Hi,
> I am usingKerberos on Linux RHEL 5 in combination with the users in /
> etc/passwd. The user information is actually downloaded from an
> Active Directory via script. We used to have ldap in combination with
> Kerberos using PAM and nsswitch.conf. But the problem was, that no
> user information about these users wereavailable when the network
> wasn't working. This is no problem for users logging in via ssh, but
> we also want to provide application accounts via the ADS. Therefore
> we implemented the script solution.
> No we have the problem with password changes. If I uses krb5 first in
> pam then we get kerberos errors for userts that are not in ADS like
> root. If we use the unix module first then it tries to change the
> password locally first which is not possible since the users have the
> "*" in file shadow file.
> As it looks like, the kerberos module doesn't like the
> user_first_pass option which I thought was the solution for this.
> Does anybody run a similar configuration and can help me out here? On
> HP-UX there is a PAM module which uses a file pam_users.conf. Via
> this file it is possible to change options for PAM modules based on
> the user. That way we are having krb5 in pam.conf first and for all
> local users we have an entry in pam_user.conf giving the krb5 module
> an ignore option. It couldn't find anything similar for Linux.
> Timo
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list