Synchronizing unix and kerberos passwords.

Kasundra, Digant digant at uta.edu
Tue Feb 22 00:43:44 UTC 2005 

You might also want to look at simply running MIT Kerberos, which Windows systems *can* authenticate against.  Or you could use a MIT Kerberos - Windows AD password synching solution (there are supposedly a few commercial products out there or you can take a look at some homegrown code we developed at UT Arlington: http://www.uta.edu/cedar/dev/prs.php).

-- DK


-----Original Message-----
From: pam-list-bounces at redhat.com on behalf of Ian Mortimer
Sent: Mon 2/21/2005 6:30 PM
To: pam-list at redhat.com
Subject: Synchronizing unix and kerberos passwords.
 
To simplify our account creation and management we're synchronizing our
unix accounts with kerberos accounts in active directory.  The
authentication part of this is working fine but password changing is
proving a bit more difficult.

What we're aiming for is:

   1  Accounts which exist in Unix and Kerberos and have the same
       password should be able to change both (to the same) and only 
       get prompted once for the current password.

   2  Accounts which exist in Unix and Kerberos but with different
       passwords should be able to change both (to the same) and get
       prompted for both current passwords.

   3  Accounts which exist only in Unix or for which the Kerberos
       password is unset or unknown should be able to change the unix
       password (and ignore the kerberos password prompt).

Testing on Fedora Core 3 with this configuration seems to work:

   password    requisite     pam_cracklib.so retry=3
   password    requisite     pam_unix.so nullok use_authtok md5 shadow
   password    optional      pam_krb5.so use_authtok try_first_pass
   #password    required      pam_deny.so

But I had to comment out pam_deny.so to get it to work in case 3.
(A simpler solution would be to reverse the order of the pam_unix and
pam_krb5 entries but unfortunately pam_unix doesn't accept
try_first_pass in password context).

What problems will removing pam_deny from the password module cause?


Thanks
-- 
Ian

_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20050221/f5ee26a8/attachment.htm>

More information about the Pam-list mailing list