W dniu 19.09.2017 o 19:41, Russ Allbery pisze: > Rafal Pietrak <ra...@ztk-rp.eu> writes: > >> I did attempt that, but without success. > >> When I swapped krb5 entry with unix entry in common-password, nothing >> changes. When I did that in common-auth I've go "bad password" response >> from sudo command. > > You want common-auth, not common-password. > > Are you sure that you're using the password in the local system > /etc/shadow and that you've set the pam_unix module as sufficient so that > pam_krb5 doesn't run if it succeeds? You want something like:
Yes I am. That was the initial configuration of the notebook. I've added kerberos later to be able to access ActiveDirectory domain resources at work. > > auth sufficient pam_unix.so > auth required pam_krb5.so try_first_pass minimum_uid=1000 I have this (default on debian-9 .. I haven't touched it before): auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass which I've temporarily swapped ... and in consequence got the "bad password" result. Apparently I haven't changed everything that's necesary for it to work ... but I don't know what exactly. [-----------------] > > Unless carefully configured to not be the default authentication option, > and honestly even then, a Kerberos PAM module is not a good configuration > for systems that have spotty network connectivity. Have you considered > removing the PAM module entirely, using local system authentication, and > running kinit when you want Kerberos tickets? That's what I do. OK. This should be quite fine. If timeouts are gone, I think I can live with that. ... and may be exactly this should be suggested as a warning during libpam installation? Like accompained by an advice to install sssd instead? -R