Synchronizing unix and kerberos passwords.
Ian Mortimer
ian at physics.uq.edu.au
Tue Feb 22 00:30:17 UTC 2005
To simplify our account creation and management we're synchronizing our
unix accounts with kerberos accounts in active directory. The
authentication part of this is working fine but password changing is
proving a bit more difficult.
What we're aiming for is:
1 Accounts which exist in Unix and Kerberos and have the same
password should be able to change both (to the same) and only
get prompted once for the current password.
2 Accounts which exist in Unix and Kerberos but with different
passwords should be able to change both (to the same) and get
prompted for both current passwords.
3 Accounts which exist only in Unix or for which the Kerberos
password is unset or unknown should be able to change the unix
password (and ignore the kerberos password prompt).
Testing on Fedora Core 3 with this configuration seems to work:
password requisite pam_cracklib.so retry=3
password requisite pam_unix.so nullok use_authtok md5 shadow
password optional pam_krb5.so use_authtok try_first_pass
#password required pam_deny.so
But I had to comment out pam_deny.so to get it to work in case 3.
(A simpler solution would be to reverse the order of the pam_unix and
pam_krb5 entries but unfortunately pam_unix doesn't accept
try_first_pass in password context).
What problems will removing pam_deny from the password module cause?
Thanks
--
Ian
More information about the Pam-list
mailing list