47.9. Enabling PAM Support for Kerberos

SUSE® Linux Enterprise comes with a PAM module named pam_krb5, which supports Kerberos login and password update. This module can be used by applications, such as console login, su, and graphical login applications like KDM, where the user presents a password and would like the authenticating application to obtain an initial Kerberos ticket on his behalf.

The pam_unix2 module also supports Kerberos authentication and password update. To enable Kerberos support in pam_unix2, edit the file /etc/security/pam_unix2.conf so it contains the following lines:

auth:       use_krb5 nullok
account:    use_krb5
password:   use_krb5 nullok
session:    none

After that, all programs evaluating the entries in this file use Kerberos for user authentication. For a user that does not have a Kerberos principal, pam_unix2 falls back on the normal password authentication mechanism. For those users who have a principal, it should now be possible to change their Kerberos passwords transparently using the passwd command.

To make fine adjustments to the way in which pam_krb5 is used, edit the file /etc/krb5.conf and add default applications to pam. For details, refer to the manual page with man 5 pam_krb5.

The pam_krb5 module was specifically not designed for network services that accept Kerberos tickets as part of user authentication. This is an entirely different matter, which is discussed below.