http://bugzilla.novell.com/show_bug.cgi?id=545724 http://bugzilla.novell.com/show_bug.cgi?id=545724#c9 --- Comment #9 from Jiri Bohac <jbohac@novell.com> 2009-12-04 17:43:33 UTC --- (In reply to comment #8)
(In reply to comment #7)
And to do this you: 1) devise a hackish policy that mandates the passwords in the local (processed with pam_unix) database to be invalid so that pam_unix in the common-auth stack fails and pam_krb5 is called
Wrong. First pam_unix is called, than pam_krb5. If no password is given in /etc/shadow or nis for the user, pam_unix will of cause fail. This is the way pam works.
Sure, this is how it works. But the goal is to use pam_krb5 during authentication. Doing that by putting pam_unix as sufficient prior to pam_krb5 and mandating that all users must have an empty/invalid pssword in /etc/shadow (or NIS) is what I called a hackish policy. What you really want is something along the lines of this pseudocode: if (pam_unix succeeds) { //prevent network timeouts when network is broken if (system user) return OK call pam_krb5 as optional //to get the ticket } else call pam_krb5 as required I believe this could be done with something like this in common-auth (but I'm not an expert on this, maybe I'm wrong): auth [success=ok default=2] pam_unix auth [default=ignore success=done] pam_succeed_if.so uid < 1000 quiet auth [default=1] pam_krb5 auth required pam_krb5 .. continue with other modules
2) to maintain the invalid passwords in the local database you put a hack in common-passwd to prevent pam_unix from setting the passwords. You do this based on the uid, which is a really weak indication of what database the user password should be maintained in.
I skip pam_unix in the password section in case of uid > 999. That's correct. I do this to prevent, that a user with a kerberos account accidentally set the password in nis or /etc/shadow.
But what is accidental about that? Having a correct password in /etc/shadow is not something that should break things if common-auth is done right. In fact, it is an advantage for cases when the kerberos server is down. Sure, common-password needs to be written in a way that does not fail if the user does not exist in the local/NIS database, but that's trivial.
This is the problem. There is a source which also have a password field. In case of kerberos is used, this field should be set to "*", that no authentication against this source can be successful.
Authenticating against this source is nothing wrong. You just need to make sure you get the kerberos ticket anyway. Something I hopefully achieved in my suggested common-auth above.
I will close this again as invalid. It works like expected.
Obviously not by everyone. I don't want to be annoying by going into a never ending REOPEN-INVALID battle. But please, think about it ;-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.