Hi, You should not verify the users locally (there is a "no_user_check" to add). The authoritative source of validation should be AD/Kerberos. Here is the config that works for us : auth sufficient /lib/security/pam_krb5.so no_user_check account required /lib/security/pam_krb5.so no_user_check 2009/9/22 Prashanth Sundaram <psundaram@xxxxxxxx>: > Here is my /etc/pam.d/ldapserver > > auth sufficient /lib/security/pam_krb5.so use_first_pass > forwardable > > password sufficient /lib/security/pam_krb5.so use_authtok > > session optional /lib/security/pam_krb5.so > > account sufficient /lib/security/pam_krb5.so > ~ > ~ > > > To revisit, here's the observation: pamsecure when set to TRUE authenticates > users only to the password in 389-ds, but when set to FALSE will > authenticate to the AD password only if the uid exists in /etc/passwd. > > > On 9/22/09 10:36 AM, "Rich Megginson" <rmeggins@xxxxxxxxxx> wrote: > >> Prashanth Sundaram wrote: >>> The account in /etc/passwd.. >> Seems like a pam problem and/or misconfiguration then - if it finds the >> entry using pam_krb5, it should never look at /etc/passwd. >>> >>> ------------------------------------------------------------------------ >>> Prashanth Sundaram wrote: >>> >>> >>> Yes, it works when there is a matching local user account. >>> >>> do you mean an account in /etc/passwd? or an account in LDAP? -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
