PAM Kerberos Release Note, HP 9000 Networking

Chapter 1 27
PAM Kerberos Release Note
Notes, Cautions and Warnings
Notes, Cautions and Warnings
It is assumed that the system administrator is familiar with the Kerberos system. The
configuration procedures are provided as a quick reference only.
For each user, make sure that the UNIX uid, home directory, and shell information exist in
the UNIX repository such as /etc/password.
The Kerberos PAM module sets and uses an environment variable, KRB5CCNAME during
authentication. Concurrent execution in the same shell environment of any PAM modules
may result in unexpected behavior.
If the super user, root, changes a user's password, the passwd program under HP-UX
environment will notprompt for the old password. However, when Kerberos PAM module,
libpam_krb5.1, is stacked with UNIX PAM, libpam_unix.1 in the pam.conf file, the
behavior is different.
For example, under this pam.conf configuration:
passwd password required /usr/lib/security/libpam_unix.1
passwd password required /usr/lib/security/libpam_krb5.1 use_first_pass
When the super user, root, changes a user's Kerberos password, the old password will be
required. However, UNIX PAM being the first module in the stack, it would not have
stored the old password, thus the Kerberos password change would fail. Consequently, the
password is changed for the UNIX account, but NOT changed for the Kerberos account. To
avoid this, do not use use_first_pass option.
To take advantage of the user policy definition service module libpam_updbe.1
(pam_updbe(5)), this module must be the first module in the stack as in the example
below:
# pam.conf:
#
login auth required /usr/lib/security/libpam_updbe.1
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass #