pam_mount + pam_winbind + pam_krb5. All in one (?)
 

Okay.

I have Active Directory's users logging into Linux clients thanks to pam_winbind.
I have Samba Shares mounted at login and unmounted at logoff thanks to pam_mount.
I have Cups printing to a Windows Print Queue WITH user authentication thanks to a patched smbspool and Kerberos ticket.

What I need now is to retrieve kerberos tickets at login time WITHOUT prompting for a password. I know pam_krb5 does that, but I can't manage to fit it into /etc/pam.d/system-auth along with pam_winbind and pam_mount.

Thatś my system-auth file:

#%PAM-1.0

auth required pam_mount.so
auth sufficient pam_winbind.so
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so

account sufficient pam_winbind.so
account required pam_unix.so

password required pam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_mount.so


Anyone may help me out?

Tks

Isn't pam order sensitive?
 

I thought that the sufficient tests had to appear before the required in PAM because rules are evaluated in the order they appear. I maybe wrong but logically if you "require" something then it doesn't make sense to have an optional test (sufficient) afterwards.
:newbie:

Actually the current file as it is works perfectly.
The problem is fitting pam_krb5.so into it so that a kerberos ticket is retrieved when user logs in.