Hi,
I've configured two linux boxes to authenticate against Windows Active Directory using Kerberos while retrieving authorization data (uids, gids ,,,)from NIS.
The problem I ran into with my PAM configuration is that all authentication attempts succeed in order.i.e. if someone tried his NIS credentials he will be granted access!!
What I want is this: Kerberos authentication is tried first; if it fails, local files authentication ONLY is tried.
here's my PAM configuration from system-auth pam configuration file which is included by all systems pam-aware services:
auth required pam_env.so
auth sufficient pam_krb5.so debug
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
The issue here: I think the pam_unix module somehow contacts NIS for authentication if Kerberos fails. But, I had updated my sswitch.conf to look like:
passwd: files nis
shadow: files
group: files nis
I thought the pam_unix.so module references this file to see where to look up passwords.
Please note that I can't remove nis form passwd and group sections because this is needed to get authorization (uid,gid) data from NIS.
The point is, above nsswitch.conf didn't resolve the issue, users are still able to log in using their NIS credentials!
Please help me figure out what is wrong here.