I have a working Kerberos authentication tested with
kinit on Debian Buster. Now I try to use it with PAM for login with Kerberos and installed
libpam-krb5 and configured it with
pam-auth-update. But the documentation in
This configuration will still require that users be listed in /etc/shadow,
since otherwise the pam_unix account module will fail. Normally, accounts
that should only use Kerberos authentication should be created with
adduser --disabled-password. If you don't want the accounts to be listed
in /etc/shadow at all (if, for example, you're using some other source
than files for your nsswitch configuration), you can mark the pam_krb5
account module as sufficient rather than required so that pam_unix isn't
run. This will mean that you won't be able to disable accounts locally.
I don't want the accounts to be listed locally in
/etc/shadow again in addition to the Kerberos Database because it is redundant work for me. I tried a login with the default setup and get this failure:
Debian GNU/Linux 10 deb10-base ttyS0
deb10-base login: ingo
journalctl I find to this:
Oct 06 15:33:08 deb10-base login: pam_krb5(login:auth): user ingo authenticated as ingo@EXAMPLE.COM
Oct 06 15:33:08 deb10-base login: pam_unix(login:account): could not identify user (from getpwnam(ingo))
Oct 06 15:33:08 deb10-base login: Authentication failure
That is exactly expected from the quoted documentation above. But I don't understand the comment where and what to modify the PAM configuration files. The current configuration files does not match the documentation.
What entry in what PAM configuration file I have to modify from required to sufficient? Are there maybe other things to do? If possible I would like to preserve the pam-auth-update config sections.
Forgot to mention that I started
pam-auth-update and checked the options:
[*] Kerberos authentication
[*] Unix authentication
[*] Create home directory on login
I tried to uncheck "Unix authentication" but that makes the login unusable. I wasn't able to login again, even not as root. I had to recover from a snapshot.