# Correct pam configuration for KRB5 before NIS?



## rootwyrm (Apr 11, 2015)

This one has me beating my head against the wall. I'm trying to migrate my autofs setup on 10.1 from host principal to user principal. No AD involvement - this is a Heimdal setup with a 10.1-RELEASE kdc also using NIS to support other infrastructure pieces.
The problem is that apparently what is allegedly supposed to hit Kerberos _then _NIS is doing the exact opposite - it's hitting NIS first. Here's the setup (note that uid/gid stuff is present, I just pulled it to make it easier to read):

/etc/pam.d/system:

```
# auth
auth  sufficient  pam_opie.so  no_warn no_fake_prompts
auth  requisite  pam_opieaccess.so  no_warn allow_local
auth  sufficient  pam_krb5.so  no_warn try_first_pass
#auth  sufficient  pam_ssh.so  no_warn try_first_pass
auth  required  pam_unix.so  no_warn try_first_pass nullok

# account
account  required  pam_krb5.so
account  required  pam_login_access.so
account  required  pam_unix.so

# session
#session  optional  pam_ssh.so  want_agent
session  required  pam_lastlog.so  no_fail

# password
password  sufficient  pam_krb5.so  no_warn try_first_pass
password  required  pam_unix.so  no_warn try_first_pass
```

/etc/pam.d/login

```
# auth
auth  sufficient  pam_self.so  no_warn
auth  include  system

# account
account  requisite  pam_securetty.so
account  required  pam_nologin.so
account  include  system

# session
session  include  system

# password
password  include  system
```

/etc/pam.d/sshd:

```
# auth
auth  sufficient  pam_krb5.so  no_warn
auth  sufficient  pam_opie.so  no_warn no_fake_prompts
auth  requisite  pam_opieaccess.so  no_warn allow_local
#auth  sufficient  pam_ssh.so  no_warn try_first_pass
auth  required  pam_unix.so  no_warn try_first_pass

# account
account  required  pam_nologin.so
account  required  pam_krb5.so
account  required  pam_login_access.so
account  required  pam_unix.so

# session
#session  optional  pam_ssh.so  want_agent
session  required  pam_permit.so

# password
password  sufficient  pam_krb5.so  no_warn
password  required  pam_unix.so  no_warn try_first_pass
```

This setup works just fine as far as logging in, autofs, host principals, etcetera. The problem is that a user has to manually kinit and enter their password again - which should only be true if the user isn't hitting KRB5 for login and is instead hitting NIS. Obviously I've screwed something up in my pam configuration. But I'm at a loss as to what. Can anyone point out what I got wrong here? Yeah, my pam-fu is weak.


----------

