pam_mount + pam_winbind + pam_krb5. All in one (?)
Okay.
I have Active Directory's users logging into Linux clients thanks to pam_winbind. I have Samba Shares mounted at login and unmounted at logoff thanks to pam_mount. I have Cups printing to a Windows Print Queue WITH user authentication thanks to a patched smbspool and Kerberos ticket. What I need now is to retrieve kerberos tickets at login time WITHOUT prompting for a password. I know pam_krb5 does that, but I can't manage to fit it into /etc/pam.d/system-auth along with pam_winbind and pam_mount. Thatś my system-auth file: #%PAM-1.0 auth required pam_mount.so auth sufficient pam_winbind.so auth required pam_env.so auth sufficient pam_unix.so likeauth nullok use_first_pass auth required pam_deny.so account sufficient pam_winbind.so account required pam_unix.so password required pam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0 password sufficient pam_unix.so nullok use_authtok md5 shadow password sufficient pam_winbind.so use_authtok password required pam_deny.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session required pam_unix.so session optional pam_mount.so Anyone may help me out? Tks |
Isn't pam order sensitive?
I thought that the sufficient tests had to appear before the required in PAM because rules are evaluated in the order they appear. I maybe wrong but logically if you "require" something then it doesn't make sense to have an optional test (sufficient) afterwards.
:newbie: |
Actually the current file as it is works perfectly.
The problem is fitting pam_krb5.so into it so that a kerberos ticket is retrieved when user logs in. |
All times are GMT -5. The time now is 09:23 PM. |