Hi, Thanks for the answer. Im not sure if I understood 100%. Im talking only about user who have a kerberos-principal. This user have only a kerberos-password and no "normal" account-password anymore - is this right ? But then this user should only call kpasswd and not passwd anymore (however I will turn off this). If it is like this, I think, I understand. But if these users will have still an "normal" account-password, then I wouldnt understand - because I want to make all host more save using kerberos, but let a second door open with "normal login".
Thanks gizmo > hi, > > usually you don't want those to be in sync. When user changes password > on one > machine (and kerberos) change is not propagated to other machines, so > thigs break. > And there is always problem with kpasswd, changes with kpasswd will not be > propagated at all. > > My approach is to have two sets of accounts - 'local' with password in > /etc/shadow > and 'global' with kerberos authentication. I use LDAP to propagate global > accounts and I do not use LDAP authentication, no password is stored in > LDAP. > you can even have third set of accounts - "LDAP" accounts which > authenticate against LDAP > and do not have any kerberos principal associated. And for testing, try > account with > * instead of password in /etc/passwd. > > So You can try something like this: > > password requisite pam_pwcheck.so nullok cracklib > password sufficient pam_unix2.so nullokuse_authtok > password sufficient pam_krb5.so nullok use_authtok > password required pam_deny.so > > > Matej > -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
