Enabling Pam Support For Kerberos - Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 08-05-2008 Installation Manual

46.9 Enabling PAM Support for
Kerberos
SUSE Linux Enterprise® comes with a PAM module named pam_krb5, which supports
Kerberos login and password update. This module can be used by applications, such
as console login, su, and graphical login applications like KDM, where the user presents
a password and would like the authenticating application to obtain an initial Kerberos
ticket on his behalf.
The pam_unix2 module also supports Kerberos authentication and password update.
To enable Kerberos support in pam_unix2, edit the file /etc/security/pam
_unix2.conf so it contains the following lines:
auth: use_krb5 nullok
account: use_krb5
password: use_krb5 nullok
session: none
After that, all programs evaluating the entries in this file use Kerberos for user authen-
tication. For a user that does not have a Kerberos principal, pam_unix2 falls back on
the normal password authentication mechanism. For those users who have a principal,
it should now be possible to change their Kerberos passwords transparently using the
passwd command.
To make fine adjustments to the way in which pam_krb5 is used, edit the file /etc/
krb5.conf and add default applications to pam. For details, refer to the manual page
with man 5 pam_krb5.
The pam_krb5 module was specifically not designed for network services that accept
Kerberos tickets as part of user authentication. This is an entirely different matter, which
is discussed below.
Installing and Administering Kerberos 859