[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM and Kerberos problems

Hello Mike,

On Tue, 4 Sep 2001, Mike Turek wrote:

> We have PAM running using Kerberos to store the passwords and have run
> into a problem. Seems that PAM will only authenticate a user if that user
> has an account on the machine PAM is running on, even if it can find the
> name & password. Is there any way to point PAM in another direction, or
> stop it doing this check altogether?

This is not a limitation of PAM; PAM does not care if the user is local to the
Unix system or not.

However, many applications and some PAM modules (some of which are buggy in
this regard) do require that the user have a local account.  For instance,
it's not meaningful to authenticate a user to the 'login' service or the
'ssh' service if they don't have a local unix account.

If you're looking for ways to scalably manage network-wide account databases,
I suggest looking into NSS (Name Service Switch), the libc plugin API for
getxx() function calls.

Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []