[27824] in Kerberos
Re: Using kerberos with users in passwd
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue May 29 15:43:33 2007
From: Russ Allbery <rra@stanford.edu>
To: Timo Wendt <twendt@online.de>
In-Reply-To: <20387AD9-4EE0-49F8-983B-C78119AA22B9@online.de> (Timo Wendt's
message of "Tue, 29 May 2007 21:08:10 +0200")
Date: Tue, 29 May 2007 12:43:08 -0700
Message-ID: <87k5urxvoz.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: "Edgecombe, Jason" <jwedgeco@uncc.edu>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Timo Wendt <twendt@online.de> writes:
> thanks fo ryour answer.
> What happens when someone logs in and his password is expired? ssh
> will ask for the password to be changed.
This happens as part of the authentication and will only happen if the
user was authenticated using the pam_krb5 module. If that module declines
the user, then the pam_unix module will authenticate them and the password
change logic won't be triggered.
> I already had the idea of using kpasswd for the AD users, but this
> doesn't solve my problem with expired passwords at login.
> Do you also have local and krb users in you passwd and some have the
> password in shadow and others via krb5?
I do this all the time. It helps considerably if you can keep the UIDs
for accounts with local passwords below the range of accounts in AD, since
then you can just use the minimum_uid PAM option and add pam_krb5 to all
of the PAM stacks before pam_unix, including password. With minimum_uid,
pam_krb5 will fail if the UID is lower than that value, letting you mark
it as sufficient and pam_unix as required after it in the stack.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
