I did some work with Russ' module on OpenSolaris and Solaris 10 release 4 (which has Kerberos headers and libraries). I noted a small issue (crash of pam_krb5 when calling pam_setcred in cache_init_from_cache since for some reason the pointer to the old cache is NULL). There seems to be also a problem with retrieving the old token as the module will ask again for the current password ( although this is related to using Suns pam_authtok_get.so.1 to retrieve tokens/passwords)
My check tool output. (The user mm is setup on win2k3 R2 for authentication and ldap authorization) # ./check_user ==> called pam_start() got: `Success' `0' ==> called pam_start() got: `Success' `0' Please enter user name: mm Password: ==> called pam_authenticate() got: `Get new authentication token' `10' New Password: Current Kerberos password: Re-enter new Password: ==> called pam_chauthtok() got: `Success' `0' ==> called pam_acct_mgmt() got: `Success' `0' UID : 0 eUID : 0 ==> called pam_open_session() got: `Success' `0' Segmentation Fault(coredump) 136 cache_init_from_cache(struct pam_args *args, const char *ccname, 137 krb5_ccache old, krb5_ccache *cache) 138 { 139 struct context *ctx; 140 krb5_creds creds; 141 krb5_cc_cursor cursor; 142 int pamret; 143 krb5_error_code status; 144 145 memset(&creds, 0, sizeof(creds)); 146 if (args == NULL || args->ctx == NULL || args->ctx->context == NULL) 147 return PAM_SERVICE_ERR; 148 ctx = args->ctx; 149 status = krb5_cc_start_seq_get(ctx->context, old, &cursor); 150 if (status != 0) { pam.conf extract # # # check_user auth requisite pam_authtok_get.so.1 check_user auth sufficient pam_krb5-3.9.so use_first_pass debug check_user auth sufficient pam_krb5-3.9.so realm=SUSE.HOME use_first_pass debug check_user auth required pam_krb5-3.9.so realm=WIN2003R2.HOME use_first_pass debug check_user auth required pam_unix_auth.so.1 use_first_pass debug # # # passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_krb5-3.9.so minimum_uid=200 minimum_uid=200 debug passwd auth sufficient pam_krb5-3.9.so minimum_uid=200 minimum_uid=200 realm=SUSE.HOME use_first_pass debug passwd auth sufficient pam_krb5-3.9.so minimum_uid=200 minimum_uid=200 realm=WIN2003R2.HOME use_first_pass debug passwd auth required pam_passwd_auth.so.1 use_first_pass # # # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password sufficient pam_krb5-3.9.so minimum_uid=200 use_first_pass debug other password sufficient pam_krb5-3.9.so minimum_uid=200 realm=SUSE.HOME use_first_pass debug other password sufficient pam_krb5-3.9.so minimum_uid=200 realm=WIN2003R2.HOME use_first_pass debug other password required pam_authtok_store.so.1 use_first_pass . The passwd works fine with the above config # passwd mm Password: New Password: Re-enter new Password: Markus "Russ Allbery" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Coy Hile <[EMAIL PROTECTED]> writes: > >> Does your pam_krb5 implmentation support this type of setup? The stock >> one that ships with Solaris does not. > > Yup, it should prompt the user to change their password. It just makes > use of the support inside the Kerberos libraries for doing so, though, so > that may not work when built against the Solaris Kerberos libraries if > they don't include that support. I don't know; I don't use Solaris's > Kerberos implementation. > > -- > Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos