I've recently set up a linux system (Debian-Jesse) which has joined an MS-Based Kerberos domain and been set up to allow Kerberos-based authentication for remote access.
The only issue is, authentication won't succeed unless there's a matching local user. For instance, if I attempt to login as wboynton@EXAMPLE.COM@xx.xxx.xxx.xx, it will accept my password and I will watch the auth.log confirm my kerberos authentication and then reject me due to a failure to find me in the /etc/shadow
.
Then, if I run a sudo adduser wboynton
on the remote machine and try logging in remotely the same way as before, it will succeed.
I looked around and found one suggestion on the internet to write a pam_script script which would create a user before testing auth on each kerberized login attempt, if it does not already exist. That seems kludgy to me, though. I haven't, as of yet, been able to track down a solid way to designate Kerberos as an authority and bypass /etc/passwd
and /etc/shadow
entirely. Does such a system exist?
Thanks!