Currently I am setting up a group of Linux machines, and I have successfully configured Samba and PAM to authenticate users that login to Linux against the Windows Active Directory of users. Furthermore, Kerberos works to the extent that I can kinit, successfully retrieve a ticket, and smbmount with it. I discovered that typing in the password twice (once for login, another to kinit) became tedious after constant use. However, I just recently discovered that there was a module named pam_krb5.so that supposedly could retrieve a ticket on login. No matter how I tried configuring it, it would not work properly.
The following is /etc/pam.d/login (sans header):
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass
auth required /lib/security/pam_deny.so
auth required /lib/security/pam_krb5.so use_first_pass creds
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
I'm not positive if this is relevant to this module, but when a user logs in, the username format is in DOMAIN+username. However, for kinit to work, the username must be username@DOMAIN.TLD. Would I need additional tweaking to get pam_krb5.so to work?
For those that have experience with this module, am I correct in assuming that it does in fact retrieve a ticket on login? Any help would be greatly appreciated. Thanks in advance.