PAM with KRB5 to Active Directory - How to prevent update of AD password?

Posted by Ex Umbris on Server Fault See other posts from Server Fault or by Ex Umbris
Published on 2011-05-09T22:40:19Z Indexed on 2012/11/25 17:06 UTC
Read the original article Hit count: 201

Filed under:
|
|
|
|

I have a working Fedora 9 system that's set up to authenticate users via PAM -> krb5 -> Active Directory. I'm migrating this to Fedora 14, and everything works, but it's working too well :-) On Fedora 9, if a Linux user updated their password, it did not propagate to their Active Directory account. On Fedora 14, it is changing their A/D password. The problem is I don't want A/D to be updated. Here's my password-auth-ac:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

I tried removing the line

password    sufficient    pam_krb5.so use_authtok

But then when attempting to change the Linux password, if they provide their A/D password for the authentication prompt, they get the error:

passwd: Authentication token manipulation error

What I want to achieve is:

  1. Allow authentication with either the A/D or Linux password (the Linux password is a fall-back for certain sysadmin users in case A/D is unavailable for some reason). This is working now.
  2. Allow users to change their Linux passwords without affecting their A/D passwords.

Is this possible?

© Server Fault or respective owner

Related posts about linux

Related posts about active-directory