PAM Kerberos v 1.24 Release Notes

product to work properly, each occurrence of the libpam_krb5.1 library in the

/etc/pam.conf file must be specified as a relative path. To view a sample

/etc/pam.conf file with the relative path, see the pam.conf( 4) manpage.

Notes, Cautions, and Warnings

Following are some notes, cautions, and warnings related to PAM Kerberos v 1.24:

• For each user, ensure that the UNIX uid, home directory, and shell information

exist in the UNIX repository, /etc/passwd or any name service database.

• The Kerberos PAM module sets and uses KRB5CCNAME during authentication. If

applications accessing KRB5CCNAME execute simultaneously in the same shell

environment, there can be unexpected results.

• If the superuser changes a user's password, the passwd program under the HP-UX

environment does not prompt for the old password. However, if the user’s

password needs to be changed through PAM-Kerberos, the superuser must enter

the old password of the user. For example, consider the following scenario where

the PAM-Kerberos module, libpam_krb5.so.1, is stacked with UNIX PAM,

libpam_unix.so.1 in the pam.conf file:

passwd password required /usr/lib/security/$ISA/libpam_unix.so.1

passwd password required /usr/lib/security/$ISA/libpam_krb5.so.1 use_first_pass

In this configuration, the UNIX PAM module is the first in the stack. When the

superuser changes a user's Kerberos password, the old password is required.

However, UNIX PAM does not store old passwords. As a result, the Kerberos

password change fails. This failure occurs because the UNIX account password

has been changed, but the Kerberos account password remains the same. HP

recommends that you do not use the use_first_pass option in such situations.

• To take advantage of the pam_updbe user policy definition service module, this

module must be the first module in the stack, as shown in the following example

(on a HP-UX 11i v2 operating system):

# pam.conf:

16 PAM Kerberos v 1.24 Release Notes