<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7226.0">
<TITLE>RE: Synchronizing unix and kerberos passwords.</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>You might also want to look at simply running MIT Kerberos, which Windows systems *can* authenticate against. Or you could use a MIT Kerberos - Windows AD password synching solution (there are supposedly a few commercial products out there or you can take a look at some homegrown code we developed at UT Arlington: <A HREF="http://www.uta.edu/cedar/dev/prs.php">http://www.uta.edu/cedar/dev/prs.php</A>).<BR>
<BR>
-- DK<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: pam-list-bounces@redhat.com on behalf of Ian Mortimer<BR>
Sent: Mon 2/21/2005 6:30 PM<BR>
To: pam-list@redhat.com<BR>
Subject: Synchronizing unix and kerberos passwords.<BR>
<BR>
To simplify our account creation and management we're synchronizing our<BR>
unix accounts with kerberos accounts in active directory. The<BR>
authentication part of this is working fine but password changing is<BR>
proving a bit more difficult.<BR>
<BR>
What we're aiming for is:<BR>
<BR>
1 Accounts which exist in Unix and Kerberos and have the same<BR>
password should be able to change both (to the same) and only<BR>
get prompted once for the current password.<BR>
<BR>
2 Accounts which exist in Unix and Kerberos but with different<BR>
passwords should be able to change both (to the same) and get<BR>
prompted for both current passwords.<BR>
<BR>
3 Accounts which exist only in Unix or for which the Kerberos<BR>
password is unset or unknown should be able to change the unix<BR>
password (and ignore the kerberos password prompt).<BR>
<BR>
Testing on Fedora Core 3 with this configuration seems to work:<BR>
<BR>
password requisite pam_cracklib.so retry=3<BR>
password requisite pam_unix.so nullok use_authtok md5 shadow<BR>
password optional pam_krb5.so use_authtok try_first_pass<BR>
#password required pam_deny.so<BR>
<BR>
But I had to comment out pam_deny.so to get it to work in case 3.<BR>
(A simpler solution would be to reverse the order of the pam_unix and<BR>
pam_krb5 entries but unfortunately pam_unix doesn't accept<BR>
try_first_pass in password context).<BR>
<BR>
What problems will removing pam_deny from the password module cause?<BR>
<BR>
<BR>
Thanks<BR>
--<BR>
Ian<BR>
<BR>
_______________________________________________<BR>
Pam-list mailing list<BR>
Pam-list@redhat.com<BR>
<A HREF="https://www.redhat.com/mailman/listinfo/pam-list">https://www.redhat.com/mailman/listinfo/pam-list</A><BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>