[27825] in Kerberos
Re: Using kerberos with users in passwd
daemon@ATHENA.MIT.EDU (Timo Wendt)
Tue May 29 16:08:10 2007
In-Reply-To: <87k5urxvoz.fsf@windlord.stanford.edu>
Mime-Version: 1.0 (Apple Message framework v752.2)
Message-Id: <9421E71C-A824-4998-BABB-6CA34AC3DFEC@online.de>
From: Timo Wendt <twendt@online.de>
Date: Tue, 29 May 2007 21:50:17 +0200
To: Russ Allbery <rra@stanford.edu>
Cc: "Edgecombe, Jason" <jwedgeco@uncc.edu>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I will see if the minimum and maximum_uid will help me. This dounds
good. I expect though that this is also not possible in our
environment, because we kept the same uids when migrating to ADS. But
if only a few users are affected then it is always an option to
change the uid with all the related files.
Am 29.05.2007 um 21:43 schrieb Russ Allbery:
> Timo Wendt <twendt@online.de> writes:
>
>> thanks fo ryour answer.
>> What happens when someone logs in and his password is expired? ssh
>> will ask for the password to be changed.
>
> This happens as part of the authentication and will only happen if the
> user was authenticated using the pam_krb5 module. If that module
> declines
> the user, then the pam_unix module will authenticate them and the
> password
> change logic won't be triggered.
>
>> I already had the idea of using kpasswd for the AD users, but this
>> doesn't solve my problem with expired passwords at login.
>> Do you also have local and krb users in you passwd and some have the
>> password in shadow and others via krb5?
>
> I do this all the time. It helps considerably if you can keep the
> UIDs
> for accounts with local passwords below the range of accounts in
> AD, since
> then you can just use the minimum_uid PAM option and add pam_krb5
> to all
> of the PAM stacks before pam_unix, including password. With
> minimum_uid,
> pam_krb5 will fail if the UID is lower than that value, letting you
> mark
> it as sufficient and pam_unix as required after it in the stack.
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/
> ~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
