Using kerberos with users in passwd

Timo Wendt twendt at
Tue May 29 15:50:17 EDT 2007

I will see if the minimum and maximum_uid will help me. This dounds  
good. I expect though that this is also not possible in our  
environment, because we kept the same uids when migrating to ADS. But  
if only a few users are affected then it is always an option to  
change the uid with all the related files.

Am 29.05.2007 um 21:43 schrieb Russ Allbery:

> Timo Wendt <twendt at> writes:
>> thanks fo ryour answer.
>> What happens when someone logs in and his password is expired? ssh
>> will ask for the password to be changed.
> This happens as part of the authentication and will only happen if the
> user was authenticated using the pam_krb5 module.  If that module  
> declines
> the user, then the pam_unix module will authenticate them and the  
> password
> change logic won't be triggered.
>> I already had the idea of using kpasswd for the AD users, but this
>> doesn't solve my problem with expired passwords at login.
>> Do you also have local and krb users in you passwd and some have the
>> password in shadow and others via krb5?
> I do this all the time.  It helps considerably if you can keep the  
> UIDs
> for accounts with local passwords below the range of accounts in  
> AD, since
> then you can just use the minimum_uid PAM option and add pam_krb5  
> to all
> of the PAM stacks before pam_unix, including password.  With  
> minimum_uid,
> pam_krb5 will fail if the UID is lower than that value, letting you  
> mark
> it as sufficient and pam_unix as required after it in the stack.
> -- 
> Russ Allbery (rra at             < 
> ~eagle/>

More information about the Kerberos mailing list