How to set up NIS->Krb5 user migration?

Nikos Nikoleris nikos at
Tue Sep 1 12:00:45 EDT 2009

Luís Eterovick wrote:
> Hello,
> what I need is to create Kerberos principals for every NIS user in a
> network. I have a working MIT Kerberos 5 in my computer that i made to test.
> I've read about pam_krb5_migrate, but i didn't use pam for anything until
> now. How can I do this user creation and is it possible to test it in my own
> Kerberos realm using the NIS information?

Hello Luis,

well you can use pam_krb5_migrate so as to achieve a smooth migration to
kerberos. What we did when we migrated passwords from an ldap server to
a heimdal kdc was to migrate users while they were authenticating for
some of our services (ex mail or ssh). Thus each machine which hosted
some service would do the migration.

First you have to add the principal in /etc/security/pam_krb5.keytab:

Then delegate the credentials to those principals to be able to add new
principals to the KDC. Add to the acl file
(/etc/heimdal-kdc/kadmind.acl in mit kerberos this is named kadm5.acl
and it could be under etc as well or under /usr/local/var/krb5kdc if
your are using BSD) something like:
pam_migrate/fqdn at REALM  a  *@REALM

Then add to the pam auth stack (/etc/pam.d/common-auth)
auth    sufficient use_first_pass
auth    required nullok_secure nis use_first_pass
auth    optional debug

That way when someone is using any service that uses pam for auth should
be migrated to your KDC. The only side-effect is that users have to
enter their passwords twice. But this shouldn't be a problem sometimes
they won't even notice, if that is done by some program (ex. mail client)

-- Nikos

More information about the Kerberos mailing list