hi, usually you don't want those to be in sync. When user changes password on one machine (and kerberos) change is not propagated to other machines, so thigs break. And there is always problem with kpasswd, changes with kpasswd will not be propagated at all.
My approach is to have two sets of accounts - 'local' with password in /etc/shadow and 'global' with kerberos authentication. I use LDAP to propagate global accounts and I do not use LDAP authentication, no password is stored in LDAP. you can even have third set of accounts - "LDAP" accounts which authenticate against LDAP and do not have any kerberos principal associated. And for testing, try account with * instead of password in /etc/passwd. So You can try something like this: password requisite pam_pwcheck.so nullok cracklib password sufficient pam_unix2.so nullokuse_authtok password sufficient pam_krb5.so nullok use_authtok password required pam_deny.so Matej On 05/04/2010 07:03 PM, [email protected] wrote: > Hi there, > I just installed a Kerberos5-Server to use for authentication on hosts via > ssh (all hosts + server are Linux-machines). An Entry in the > Kerberos-Database for the user is not enough, the user also must have an > account on the host he wants to log in (right now a shadow-passwd, but later > I want ldap). > But this means, the user has 2 passwords, one in the Kerberos-Database, > another one in shadow-passwd. The user can change his Kerberos-password with > kpasswd and the account-password with passwd. > But I would like that the user changes both passwords using only passwd - is > this possible ? > I tested some different configurations in /etc/pam.d/common-password, the > last one was : > > password requisite pam_pwcheck.so nullok cracklib > password required pam_unix2.so nullok > password required pam_krb5.so nullok > > But never it was a clear solution, sometimes I didnt even know what was going > on. For instance after the user changed the password, but then the > Kerberos-login didnt work anymore, I got errors like "wrong principal in > request" or the user couldn't login anymore with the normal login when he > "came" from outside the realm. > > Can someone give me some help how to make a clean solution ? > > thanks > > gizmo11 > -- > GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! > Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
