We've been using this auth configuration to allow login with krb5 (AD) or with a unix password: auth required pam_env.so auth sufficient pam_krb5.so auth sufficient pam_unix.so use_first_pass auth required pam_deny.so The way this works has changed between pam-0.79 + pam_krb5-2.1.15 and pam-0.99.6.2 + pam_krb5-2.2.11. Previously if a user had an AD account but no password set they could not login with a blank password - now they can. This probably should be fixed in AD but I was wondering if there's a way of doing it through pam. Thanks --- Ian _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
