PAM Kerberos Release Notes for HP-UX 11.0
PAM Kerberos Release Notes for HP-UX 11.0
Notes, Cautions and Warnings
Chapter 1 11
Notes, Cautions and Warnings
• For each user, make sure that the UNIX uid, home directory, and
shell information exist in the UNIX repository, /etc/passwd.
• The Kerberos PAM module sets and uses an environment variable,
KRB5CCNAME, during authentication. Concurrent execution in the
same shell environment of any PAM modules may result in
unexpected behavior.
• If the superuser root changes a user's password, the passwd
program under the HP-UX environment does not prompt for the old
password. However, when Kerberos PAM module, libpam_krb5.1,is
stacked with UNIX PAM, libpam_unix.1 in the pam.conf file, the
behavior is different.
For example, under this pam.conf configuration:
passwd password required /usr/lib/security/libpam_unix.1
passwd password required /usr/lib/security/libpam_krb5.1
use_first_pass
When the superuser root changes a user's Kerberos password, the
old password is required. However, when UNIX PAM is the first
module in the stack, it does not store the old password, so a special
situation arises in which the Kerberos password change fails. This
failure is caused by the fact that the password is changed for the
UNIX account, but is not changed for the Kerberos account. You can
avoid this situation by not using the use_first_pass option.
• To take advantage of the user policy definition service module
libpam_updbe.1 (pam_updbe(5)), this module must be the first
module in the stack, as shown in the example below:
# pam.conf:
#
login auth required /usr/lib/security/libpam_updbe.1
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1
try_first_pass