Using kerberos with users in passwd
Timo Wendt
twendt at online.de
Tue May 29 15:50:17 EDT 2007
I will see if the minimum and maximum_uid will help me. This dounds
good. I expect though that this is also not possible in our
environment, because we kept the same uids when migrating to ADS. But
if only a few users are affected then it is always an option to
change the uid with all the related files.
Am 29.05.2007 um 21:43 schrieb Russ Allbery:
> Timo Wendt <twendt at online.de> writes:
>
>> thanks fo ryour answer.
>> What happens when someone logs in and his password is expired? ssh
>> will ask for the password to be changed.
>
> This happens as part of the authentication and will only happen if the
> user was authenticated using the pam_krb5 module. If that module
> declines
> the user, then the pam_unix module will authenticate them and the
> password
> change logic won't be triggered.
>
>> I already had the idea of using kpasswd for the AD users, but this
>> doesn't solve my problem with expired passwords at login.
>> Do you also have local and krb users in you passwd and some have the
>> password in shadow and others via krb5?
>
> I do this all the time. It helps considerably if you can keep the
> UIDs
> for accounts with local passwords below the range of accounts in
> AD, since
> then you can just use the minimum_uid PAM option and add pam_krb5
> to all
> of the PAM stacks before pam_unix, including password. With
> minimum_uid,
> pam_krb5 will fail if the UID is lower than that value, letting you
> mark
> it as sufficient and pam_unix as required after it in the stack.
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/
> ~eagle/>
More information about the Kerberos
mailing list