Using kerberos with users in passwd

Russ Allbery rra at
Tue May 29 15:43:08 EDT 2007

Timo Wendt <twendt at> writes:

> thanks fo ryour answer.
> What happens when someone logs in and his password is expired? ssh  
> will ask for the password to be changed.

This happens as part of the authentication and will only happen if the
user was authenticated using the pam_krb5 module.  If that module declines
the user, then the pam_unix module will authenticate them and the password
change logic won't be triggered.

> I already had the idea of using kpasswd for the AD users, but this  
> doesn't solve my problem with expired passwords at login.
> Do you also have local and krb users in you passwd and some have the  
> password in shadow and others via krb5?

I do this all the time.  It helps considerably if you can keep the UIDs
for accounts with local passwords below the range of accounts in AD, since
then you can just use the minimum_uid PAM option and add pam_krb5 to all
of the PAM stacks before pam_unix, including password.  With minimum_uid,
pam_krb5 will fail if the UID is lower than that value, letting you mark
it as sufficient and pam_unix as required after it in the stack.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list