Linux – How to Initialize Kerberos Ticket on SSH Login Using PAM

centos7kerberoslinuxpamwinbind

Right, so I am struggling a bit with PAM in Centos7.

I have no idea how to configure it manually and make the changes permanent so that I get a kerberos ticket after a successful ssh login.

The primary authentication method as you can see is winbind and I want it to stay like this.

So far I have in my /etc/pam.d/system-auth which is auto-generated using authconfig:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

In earlier releases I would add:

auth optional       pam_krb5.so       try_first_pass

Any idea how to do this in Centos7? I don't want to use kerberos for authentication as it will probably mess up with everything on a password change.

Best Answer

Set krb5_auth = yes in /etc/security/pam_winbind.conf. This file should be safe from any updates by authconfig.

You could use auth sufficient pam_winbind.so use_first_pass krb5_auth in pam, but that might be overridden by authconfig.

Best Answer

Related Solutions

Debian – saslauthd and PAM: “Too many open files” error – saslauthd restart fixes this – what is wrong

SSH – How to Get Kerberos Ticket

Related Topic