[tac_plus] AD version of the pam guide
Adam Allred
prozaconstilts at gmail.com
Wed Apr 25 21:54:57 UTC 2012
no_user_check
tells pam_krb5.so to not check if a user exists on the local system,
to skip authorization checks using the user's .k5login file, and to
create ccache files owned by the current process's UID. This is useful
for situations where a non-privileged server process needs to use
Kerberized services on behalf of remote users who may not have local
access. Note that such a server should have an encrypted connection
with its client in order to avoid allowing the user's password to be
eavesdropped.
So maybe that option to pam_krb5 (though I'm not sure to which service
type you should pass that option) will get what you need without
having to list a local user account.
On Wed, Apr 25, 2012 at 2:33 PM, heasley <heas at shrubbery.net> wrote:
> Wed, Apr 25, 2012 at 11:59:08AM -0600, Daniel Schmidt:
>> So... you're saying.... homer would need to exist locally on the box
>> first? :-\
>
> or, there would need to be a krb5 version of this that is "sufficient" or
> whatever the knob is to stop processing:
>
>> > account required pam_unix.so broken_shadow
More information about the tac_plus
mailing list