passwd, kpasswd
thom_schu@gmx.de
thom_schu at gmx.de
Wed May 5 04:12:20 EDT 2010
Hi,
Thanks for the answer.
Im not sure if I understood 100%.
Im talking only about user who have a kerberos-principal.
This user have only a kerberos-password and no "normal" account-password
anymore - is this right ? But then this user should only call kpasswd and
not passwd anymore (however I will turn off this). If it is like this, I
think, I understand.
But if these users will have still an "normal" account-password, then I
wouldnt understand - because I want to make all host more save using
kerberos, but let a second door open with "normal login".
Thanks
gizmo
> hi,
>
> usually you don't want those to be in sync. When user changes password
> on one
> machine (and kerberos) change is not propagated to other machines, so
> thigs break.
> And there is always problem with kpasswd, changes with kpasswd will not be
> propagated at all.
>
> My approach is to have two sets of accounts - 'local' with password in
> /etc/shadow
> and 'global' with kerberos authentication. I use LDAP to propagate global
> accounts and I do not use LDAP authentication, no password is stored in
> LDAP.
> you can even have third set of accounts - "LDAP" accounts which
> authenticate against LDAP
> and do not have any kerberos principal associated. And for testing, try
> account with
> * instead of password in /etc/passwd.
>
> So You can try something like this:
>
> password requisite pam_pwcheck.so nullok cracklib
> password sufficient pam_unix2.so nullokuse_authtok
> password sufficient pam_krb5.so nullok use_authtok
> password required pam_deny.so
>
>
> Matej
>
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
More information about the Kerberos
mailing list