Or you could just put your own config for krb5 in place such as I did:
$ cat /usr/share/pam-configs/krb5 Name: Kerberos Authentication Default: yes Priority: 300 Auth-Type: Primary Auth-Initial: [success=end default=ignore] pam_krb5.so Auth-Final: [success=end default=ignore] pam_krb5.so use_first_pass Account-Type: Primary Account-Final: [success=end default=ignore] pam_krb5.so Password-Type: Primary Password-Initial: [success=end user_unknown=ignore default=die] pam_krb5.so Password-Final: [success=end user_unknown=ignore default=die] pam_krb5.so use_authtok try_first_pass Session-Type: Additional Session-Final: optional pam_krb5.so
No guarantees to how correct it is, but it seems to work here.
Or you could just put your own config for krb5 in place such as I did:
$ cat /usr/share/ pam-configs/ krb5
Name: Kerberos Authentication
Default: yes
Priority: 300
Auth-Type: Primary
Auth-Initial:
[success=end default=ignore] pam_krb5.so
Auth-Final:
[success=end default=ignore] pam_krb5.so use_first_pass
Account-Type: Primary
Account-Final:
[success=end default=ignore] pam_krb5.so
Password-Type: Primary
Password-Initial:
[success=end user_unknown=ignore default=die] pam_krb5.so
Password-Final:
[success=end user_unknown=ignore default=die] pam_krb5.so use_authtok try_first_pass
Session-Type: Additional
Session-Final:
optional pam_krb5.so
No guarantees to how correct it is, but it seems to work here.