I am using pam_krb5 with local accounts (Linux) for AD password authentication. Things are working great, users are able to authenticate with both AD and local passwords.
I am having a problem though, when the local password expires Kerberos authentication fails and prompts the user to change their local password. The issue is that most users cannot remember their local password, and my workaround so far has been to temporarily disable local password change enforcement.
Is there a way to have pam_krb5 ignore expired local passwords, or at least configure PAM to prioritize Kerberos passwords over local?
My research lead me to believe it has something to do with common-auth, which I have provided below:
auth required pam_env.so
auth sufficient pam_unix2.so
auth requisite pam_succeed_if.so user ingroup access_www
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
Best Answer
Put
pam_krb5
beforepam_unix2
(and keep theuse_first_pass
on the latter entry).