Luís Eterovick wrote: > Hello, > what I need is to create Kerberos principals for every NIS user in a > network. I have a working MIT Kerberos 5 in my computer that i made to test. > I've read about pam_krb5_migrate, but i didn't use pam for anything until > now. How can I do this user creation and is it possible to test it in my own > Kerberos realm using the NIS information?
Hello Luis, well you can use pam_krb5_migrate so as to achieve a smooth migration to kerberos. What we did when we migrated passwords from an ldap server to a heimdal kdc was to migrate users while they were authenticating for some of our services (ex mail or ssh). Thus each machine which hosted some service would do the migration. First you have to add the principal in /etc/security/pam_krb5.keytab: pam_migrate/FQDN_OF_THE_MACHINE Then delegate the credentials to those principals to be able to add new principals to the KDC. Add to the acl file (/etc/heimdal-kdc/kadmind.acl in mit kerberos this is named kadm5.acl and it could be under etc as well or under /usr/local/var/krb5kdc if your are using BSD) something like: pam_migrate/f...@realm a *...@realm Then add to the pam auth stack (/etc/pam.d/common-auth) auth sufficient pam_krb5.so use_first_pass auth required pam_unix.so nullok_secure nis use_first_pass auth optional pam_krb5_migrate.so debug That way when someone is using any service that uses pam for auth should be migrated to your KDC. The only side-effect is that users have to enter their passwords twice. But this shouldn't be a problem sometimes they won't even notice, if that is done by some program (ex. mail client) -- Nikos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos