RE: Synchronizing unix and kerberos passwords.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Title: RE: Synchronizing unix and kerberos passwords.

You might also want to look at simply running MIT Kerberos, which Windows systems *can* authenticate against.  Or you could use a MIT Kerberos - Windows AD password synching solution (there are supposedly a few commercial products out there or you can take a look at some homegrown code we developed at UT Arlington: http://www.uta.edu/cedar/dev/prs.php).

-- DK


-----Original Message-----
From: pam-list-bounces@xxxxxxxxxx on behalf of Ian Mortimer
Sent: Mon 2/21/2005 6:30 PM
To: pam-list@xxxxxxxxxx
Subject: Synchronizing unix and kerberos passwords.

To simplify our account creation and management we're synchronizing our
unix accounts with kerberos accounts in active directory.  The
authentication part of this is working fine but password changing is
proving a bit more difficult.

What we're aiming for is:

   1  Accounts which exist in Unix and Kerberos and have the same
       password should be able to change both (to the same) and only
       get prompted once for the current password.

   2  Accounts which exist in Unix and Kerberos but with different
       passwords should be able to change both (to the same) and get
       prompted for both current passwords.

   3  Accounts which exist only in Unix or for which the Kerberos
       password is unset or unknown should be able to change the unix
       password (and ignore the kerberos password prompt).

Testing on Fedora Core 3 with this configuration seems to work:

   password    requisite     pam_cracklib.so retry=3
   password    requisite     pam_unix.so nullok use_authtok md5 shadow
   password    optional      pam_krb5.so use_authtok try_first_pass
   #password    required      pam_deny.so

But I had to comment out pam_deny.so to get it to work in case 3.
(A simpler solution would be to reverse the order of the pam_unix and
pam_krb5 entries but unfortunately pam_unix doesn't accept
try_first_pass in password context).

What problems will removing pam_deny from the password module cause?


Thanks
--
Ian

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux