On Fri, Jul 10, 2015 at 04:50:39PM +0000, Longina Przybyszewska wrote:
Hi,
.k5login doesn't help . Homedir is mounted with sec=krb5 and not accessible on ssh
server side
Until get validated krb principal credentials - which seems to be my problem.
I have noticed , I have no libpam-krb5 module in PAM
That's fine, you don't need pam_krb5 to process PAC.
I have libpam-sss module, which seems to be enough to deal with krb
principals for NFS-mounts and
GUI logins and ssh logins with passwd.
PAC is processed by the PAC responder in sssd. The data can be fed to
PAC responder either from libkrb5 (invoked by SSHD) directly when using
GSSAPI auth or, when using password based auth, the SSSD's krb5_child
process feeds the data into the PAC responder.
It's a bit confusing and we have a ticket open to better describe the
relationship in a document..