I have our systems set up to try pam_unix first, then pam_krb5. This way if you try a root login, the local is matched first. I then add "use_first_pass" as a parameter to pam_krb5, such that you do not get a second prompt.
[EMAIL PROTECTED]:~$ cat /etc/pam.d/common-auth auth sufficient pam_unix.so nullok_secure auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so This is on an Ubuntu machine, so some changes may need to be made for other platforms. Good luck! -- Kevin Otte, N8VNR [EMAIL PROTECTED] http://www.nivex.net/ -=- "Those who cannot remember the past are condemned to repeat it." -- George Santayana "It seems no one reads Santayana anymore." -- Cdr. Susan Ivanova, Babylon 5 -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
