1

I've installed Kerberos on the Debian machine that hosts an internal application, to be able to use it to authenticate users against our AD.
This works.

However, Kerberos seems to feel responsible for managing the linux user accounts on that machine as well and tells the admin to enter the "Current Kerberos Password" when he tries to change a users password.

Since I don't need nor want the linux users to be managed by Kerberos, is there a way to configure Kerberos that way, that it only acts when asked by Apache?

I realise there are some settings in /etc/pam.d/ but I'm unsure what changes would be save.

npst
  • 113
  • 3
  • I'm unsure if this is on topic here, so feel free to migrate to Superusers or Unix – npst Oct 16 '13 at 13:14
  • What are you doing when it tell you 'Current Kerberos Password'? What do you mean with 'change user's password'? You mean 'passwd foobar'? Maybe you should check your nsswitch.conf... – jirib Oct 16 '13 at 13:38
  • yes, 'passwd foobar' is followed by "Current Kerberos Password". My nsswitch.conf shows passwd: compat – npst Oct 16 '13 at 14:57
  • Depends on your system, I don't know Debian, but something added pam_krb5.so into your pam files. You have to remove it from files which are not related to your "services". Refer to Debian PAM documentation. Warning: having wrong pam files could make your system accessible without password (or I think at least). If you have backup of previous files, it's easy to compare. Or compare with non-kerberized Debian installation. If httpd does not need PAM, you could probably uninstall libpam-krb5 or something like that. – jirib Oct 16 '13 at 18:50
  • Right, the question would be what pam-things httpd uses, then. thanks. – npst Oct 17 '13 at 02:59
  • For now, I have changed the /etc/pam.d/common_pasword to pam_unix.so An explanation what pam.d actions are used when apache authenticates via kerberos would still be a welcome answer. – npst Oct 17 '13 at 10:24
  • Enough. Please read documentation. You do not need httpd to talk to PAM for kerberos, as it can do it itself. Read httpd docs, google... – jirib Oct 17 '13 at 10:36
  • You obviously forgot that I'm using KErberos for SSO purposes here, where httpd DOES come in handy. – npst Oct 17 '13 at 10:44
  • Then maybe your whole problem is nonsense. Use executing 'passwd' is asked for kerberos because he does not have kerberos ticket. Only kerberos tickets make SSO. The user would not be asked for password if he would have already kerberos ticket initialized on his client, that is before doing ssh to another server... – jirib Oct 17 '13 at 10:58
  • Once again, I thank your for your opinion, but all this was clearly(?) stated in the original post. – npst Oct 17 '13 at 11:42

1 Answers1

4

Your pam configuration for passwd usually /etc/pam.d/chpasswd is making a call to pam_krb5.so either directly or as part of an include statement.

Kerberos (GSSAPI/SPNEGO) for HTTP SSO is handled outside of pam making the most expedient solution to remove it entirely from your pam config (hopefully using a similar method as to what put it in).

84104
  • 12,698
  • 6
  • 43
  • 75