Kerberos PAM issue

[Dolda2000]

Hi all!
I'm currently in the process of upgrading my home security to using Kerberos. It was previously done with NIS, but now I've mangled the passwords in the NIS maps.
I'm having a slight problem, though, which I'm not sure how to solve in a nice way. I want to have PAM support for both pam_unix and pam_krb5, so that root can log in with his locally stored password in case the network goes down for any reason. And here's the problem: account management. Here's what I have now in my PAM config regarding account management:

Code:

account sufficient pam_unix.so
account sufficient pam_krb5.so
account required pam_deny.so

As you can see, that lets a user through if he has either a valid UNIX account OR a valid Kerberos account, and naturally that's not what I want. I want the account to be invalid if the Kerberos account is explicitly invalid, but the UNIX account to be checked if the user doesn't have a Kerberos principal (is with root). So what I'd like is something like this:

Code:

account ultimate pam_krb5.so ignore_nonexistant
account required pam_unix.so

The ignore_nonexistant option would imply that the pam_krb5 module should return PAM_IGNORE if the user doesn't have a Kerberos principal. The control flag ultimate would imply that the stack returns immediately with the result returned by pam_krb5 as long as it is not PAM_IGNORE.

However, as far as I know, neither 'ultimate' nor 'ignore_nonexistant' exist. Does anyone know of a way to work around this, or do I have to rewrite both my PAM and pam_krb5?

[genlee]

I don't see a problem with how that works. If you have a user with a unix account that you don't want them to login, why not just userdel? With the way you want to do it, wouldn't that return PAM_IGNORE everytime you try to login with root?

[Dolda2000]

The thing is that I want to manage the accounting through Kerberos, ie. account expiration, password aging, and so on. I don't want to userdel someone just to temporarily disable their account.
Yes, it would return PAM_IGNORE everytime I try to log in as root, and that's the purpose. Since root doesn't have a Kerberos account, I want it to fall back on UNIX accounting for him.
As it is now, I would have to synchronize Kerberos and UNIX accountings for it to be effective, and that's not very appealing to me.

[genlee]

I did a little bit of searching and found this pam module option for krb5. Try ignore_unknown_upn. That should return PAM_IGNORE if PAM_USER has no account. Somthing like this should work:

auth required pam_krb5.so ignore_unknown_upn
auth sufficient pam_unix.so use_first_pass

[Dolda2000]

Strange... When I search for ignore_unknown_upn on google, it finds a lot on it, but it's not supported by my version, and not the latest version available from rpmfind.net, and it doesn't seem to be supported even by the latest CVS version on the linux-pam project on sourceforge.
Thank you very much for the pointer, though. I'll continue to search for it.

[andutt]

Did you find any solution on this Dolda?? i´m also in the steps of trying out kerberos on an enterprise solution..

Regards

[Dolda2000]

Sorry, not yet. I guess the worst outcome is that I'll have to add support for it myself, though. I checked the source for pam_krb5, and it seems really clean, so it wouldn't be hard.

[andutt]

OK, keep me posted on your progress..

Ha en bra sommar!! on english Have a good summer!!

Regards