PAM Kerberos Release Notes for HP-UX 11i
Chapter 1 9
PAM Kerberos Release Notes for HP-UX 11i
Notes, Cautions and Warnings
Notes, Cautions and Warnings
• For each user, make sure that the UNIX uid, home directory, and shell information exist in
the UNIX repository, /etc/passwd.
• The Kerberos PAM module sets and uses an environment variable, KRB5CCNAME, during
authentication. Concurrent execution in the same shell environment of any PAM modules
may result in unexpected behavior.
• If the superuser root changes a user's password, the passwd program under the HP-UX
environment does not prompt for the old password. However, when Kerberos PAM
module, libpam_krb5.1, is stacked with UNIX PAM, libpam_unix.1 in the pam.conf file,
the behavior is different.
For example, under this pam.conf configuration:
passwd password required /usr/lib/security/libpam_unix.1
passwd password required /usr/lib/security/libpam_krb5.1 use_first_pass
When the superuser root changes a user's Kerberos password, the old password is
required. However, when UNIX PAM is the first module in the stack, it does not store the
old password, so a special situation arises in which the Kerberos password change fails.
This failure is caused by the fact that the password is changed for the UNIX account, but
is not changed for the Kerberos account. You can avoid this situation by not using the
use_first_pass option.
• To take advantage of the user policy definition service module libpam_updbe.1
(pam_updbe(5)), this module must be the first module in the stack, as shown in the
example below:
# pam.conf:
#
login auth required /usr/lib/security/libpam_updbe.1
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass