PAM Kerberos v 1.26 Release Notes

Notes, Cautions, and Warnings

Following are some notes, cautions, and warnings related to PAM Kerberos v1.26:

• For each user, ensure that the UNIX uid, home directory, and shell information exist in the

UNIX repository, /etc/passwd or any name service database.

• The Kerberos PAM module sets and uses KRB5CCNAME during authentication. If applications

accessing KRB5CCNAME execute simultaneously in the same shell environment, there can be

unexpected results.

• If the superuser changes a user's password, the passwd program under the HP-UX

environment does not prompt for the old password. However, if the user’s password needs

to be changed through PAM-Kerberos, the superuser must enter the old password of the

user. For example, consider the following scenario where the PAM-Kerberos module,

libpam_krb5.so.1, is stacked with UNIX PAM, libpam_unix.so.1 in the pam.conf

file:

passwd password required /usr/lib/security/$ISA/libpam_unix.so.1

passwd password required /usr/lib/security/$ISA/libpam_krb5.so.1 use_first_pass

In this configuration, the UNIX PAM module is the first in the stack. When the superuser

changes a user's Kerberos password, the old password is required. However, UNIX PAM

does not store old passwords. As a result, the Kerberos password change fails. This failure

occurs because the UNIX account password has been changed, but the Kerberos account

password remains the same. HP recommends that you do not use the use_first_pass

option in such situations.

• To take advantage of the pam_updbe user policy definition service module, this module

must be the first module in the stack, as shown in the following example (on a HP-UX 11i

v2 operating system):

# pam.conf: