I did some work with Russ' module on OpenSolaris and Solaris 10 release 4
(which has Kerberos headers and libraries). I noted a small issue (crash of
pam_krb5 when calling pam_setcred in cache_init_from_cache since for some
reason the pointer to the old cache is NULL). There seems to be also a
problem with retrieving the old token as the module will ask again for the
current password ( although this is related to using Suns
pam_authtok_get.so.1 to retrieve tokens/passwords)

My check tool output. (The user mm is setup on win2k3 R2 for authentication
and ldap authorization)

# ./check_user
==> called pam_start()
got: `Success' `0'
==> called pam_start()
got: `Success' `0'
Please enter user name: mm
Password:
==> called pam_authenticate()
got: `Get new authentication token' `10'
New Password:
Current Kerberos password:
Re-enter new Password:
==> called pam_chauthtok()
got: `Success' `0'
==> called pam_acct_mgmt()
got: `Success' `0'
UID : 0
eUID : 0
==> called pam_open_session() got: `Success' `0'
Segmentation Fault(coredump)


136 cache_init_from_cache(struct pam_args *args, const char *ccname,
137 krb5_ccache old, krb5_ccache *cache)
138 {
139 struct context *ctx;
140 krb5_creds creds;
141 krb5_cc_cursor cursor;
142 int pamret;
143 krb5_error_code status;
144
145 memset(&creds, 0, sizeof(creds));
146 if (args == NULL || args->ctx == NULL || args->ctx->context ==
NULL)
147 return PAM_SERVICE_ERR;
148 ctx = args->ctx;
149 status = krb5_cc_start_seq_get(ctx->context, old, &cursor);
150 if (status != 0) {


pam.conf extract
#
#
#
check_user auth requisite pam_authtok_get.so.1
check_user auth sufficient pam_krb5-3.9.so use_first_pass debug
check_user auth sufficient pam_krb5-3.9.so realm=SUSE.HOME
use_first_pass debug
check_user auth required pam_krb5-3.9.so realm=WIN2003R2.HOME
use_first_pass debug
check_user auth required pam_unix_auth.so.1 use_first_pass debug
#
#
# passwd command (explicit because of a different authentication module)
#
passwd auth sufficient pam_krb5-3.9.so minimum_uid=200
minimum_uid=200 debug
passwd auth sufficient pam_krb5-3.9.so minimum_uid=200
minimum_uid=200 realm=SUSE.HOME use_first_pass debug
passwd auth sufficient pam_krb5-3.9.so minimum_uid=200
minimum_uid=200 realm=WIN2003R2.HOME use_first_pass debug
passwd auth required pam_passwd_auth.so.1 use_first_pass
#
#
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_krb5-3.9.so minimum_uid=200
use_first_pass debug
other password sufficient pam_krb5-3.9.so minimum_uid=200
realm=SUSE.HOME use_first_pass debug
other password sufficient pam_krb5-3.9.so minimum_uid=200
realm=WIN2003R2.HOME use_first_pass debug
other password required pam_authtok_store.so.1 use_first_pass
..

The passwd works fine with the above config

# passwd mm
Password:
New Password:
Re-enter new Password:

Markus

"Russ Allbery" wrote in message
news:87d4rya4y4.fsf@windlord.stanford.edu...
> Coy Hile writes:
>
>> Does your pam_krb5 implmentation support this type of setup? The stock
>> one that ships with Solaris does not.

>
> Yup, it should prompt the user to change their password. It just makes
> use of the support inside the Kerberos libraries for doing so, though, so
> that may not work when built against the Solaris Kerberos libraries if
> they don't include that support. I don't know; I don't use Solaris's
> Kerberos implementation.
>
> --
> Russ Allbery (rra@stanford.edu)
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>