> PAM itself doesn't care about local vs. non-local accounts. > If you're > having trouble with this, you almost certainly have a module > in your PAM > config which you shouldn't -- such as pam_unix, which by definition > requires local accounts and will give you a failure for anything else. > > Someone on the list may be able to pinpoint the exact trouble if you > dump us your PAM config for freeradius.
I did in a previous post, but here it is again for convenience: #%PAM-1.0 auth required /usr/pam/lib/security/pam_krb5.so account required /usr/pam/lib/security/pam_permit.so I also tried the following: #%PAM-1.0 auth required /usr/pam/lib/security/pam_krb5.so And... #%PAM-1.0 auth sufficient /usr/pam/lib/security/pam_krb5.so auth required /usr/pam/lib/security/pam_unix.so (Which allowed logins from anyone using either his/her Kerberos password or his/her local Unix password.) In all three cases, users are only allowed to login if they have local accounts. Also, note that in all three cases, what is shown above is the *complete* pam.d/radiusd file. I have not removed "irrelevant" lines from the file. If I need a "session" line as well, that's fine, but I'd love to know why PAM thinks so... --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html