[32303] in Kerberos
passwd, kpasswd
daemon@ATHENA.MIT.EDU (thom_schu@gmx.de)
Tue May 4 13:04:10 2010
Date: Tue, 04 May 2010 19:03:56 +0200
From: thom_schu@gmx.de
Message-ID: <20100504170356.268640@gmx.net>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi there,
I just installed a Kerberos5-Server to use for authentication on hosts via ssh (all hosts + server are Linux-machines). An Entry in the Kerberos-Database for the user is not enough, the user also must have an account on the host he wants to log in (right now a shadow-passwd, but later I want ldap).
But this means, the user has 2 passwords, one in the Kerberos-Database, another one in shadow-passwd. The user can change his Kerberos-password with kpasswd and the account-password with passwd.
But I would like that the user changes both passwords using only passwd - is this possible ?
I tested some different configurations in /etc/pam.d/common-password, the last one was :
password requisite pam_pwcheck.so nullok cracklib
password required pam_unix2.so nullok
password required pam_krb5.so nullok
But never it was a clear solution, sometimes I didnt even know what was going on. For instance after the user changed the password, but then the Kerberos-login didnt work anymore, I got errors like "wrong principal in request" or the user couldn't login anymore with the normal login when he "came" from outside the realm.
Can someone give me some help how to make a clean solution ?
thanks
gizmo11
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
