Right, so I am struggling a bit with PAM in Centos7.
I have no idea how to configure it manually and make the changes permanent so that I get a kerberos ticket after a successful ssh login.
The primary authentication method as you can see is winbind and I want it to stay like this.
So far I have in my /etc/pam.d/system-auth which is auto-generated using authconfig:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
In earlier releases I would add:
auth optional pam_krb5.so try_first_pass
Any idea how to do this in Centos7? I don't want to use kerberos for authentication as it will probably mess up with everything on a password change.
Best Answer
Set
krb5_auth = yes
in/etc/security/pam_winbind.conf
. This file should be safe from any updates byauthconfig
.You could use
auth sufficient pam_winbind.so use_first_pass krb5_auth
in pam, but that might be overridden byauthconfig
.