Synchronizing unix and kerberos passwords.
Tomas Mraz
tmraz at redhat.com
Tue Feb 22 08:55:57 UTC 2005
On Tue, 2005-02-22 at 10:30 +1000, Ian Mortimer wrote:
> Testing on Fedora Core 3 with this configuration seems to work:
>
> password requisite pam_cracklib.so retry=3
> password requisite pam_unix.so nullok use_authtok md5 shadow
> password optional pam_krb5.so use_authtok try_first_pass
> #password required pam_deny.so
>
> But I had to comment out pam_deny.so to get it to work in case 3.
> (A simpler solution would be to reverse the order of the pam_unix and
> pam_krb5 entries but unfortunately pam_unix doesn't accept
> try_first_pass in password context).
>
> What problems will removing pam_deny from the password module cause?
Of course you cannot have pam_deny.so there in your configuration
because the pam_krb5 is optional - thus the pam_deny makes the password
fail regardless of the result of pam_krb5. So removing pam_deny was the
right thing to do.
--
Tomas Mraz <tmraz at redhat.com>
More information about the Pam-list
mailing list