[Freeipa-users] pam settings for changing password under FreeIPA
Nick Gresham
n.gresham at manchester.ac.uk
Tue Oct 28 11:00:28 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Simo Sorce wrote:
> This is just a matter of configuration of the pam_stack, you want to
> probably always attempt first a kerberos password change and a unix
> password change only if it fails, as the default case for you is users
> coming from IPA not local users.
>
> Simo.
>
Just for reference, should anyone be interested, the following settings
in /etc/pam.d/system-auth seem to work and to hide the "Kerberos 5
Password" stage:
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok no_initial_prompt
password required pam_deny.so
Many thanks for the advice given on this list,
[NG]
- --
N.J. Gresham
FLS/IS AIO
Systems Administration and Support
University of Manchester
Faculty of Life Sciences
int: 7759349
ext: 0790-989-3684
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkG8MYACgkQoqZzfMI0UdnMWgCdHuzVaRMjfoioZxplL+lrAJH9
wJUAn2o1EBieeCuGEe4Ryuh1vkXEsNKi
=/u8V
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list