Description of problem: I've tried to set up workstation with kerberos single sign on configured. Unfortunately /etc/pam.d/system-auth-ac created by system-config-authentication has logic which prevents pam_krb5 from authenticating itself to a server. Please have a look: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so This means that after pam_unix authenticates user we leave pam stack and authentication service provided by pam_krb5.so is never called. As a result session service later on will not be able to setup credentials for a user. Version-Release number of selected component (if applicable): authconfig-gtk-5.3.10-1.x86_64 authconfig-5.3.10-1.x86_64 How reproducible: always Actual results: klist shows no credentials after logging in. Expected results: klist shows credentials after logging in. Additional info: This fault is related to bug #193335 which unfortunately was closed as NOTABUG (which I strongly believe it is). It may also relate to bug #179009.
No, what you are trying to achieve is simply not possible. Or it is possible but it has its own set of problems. Authconfig as a tool can choose only one of many possible pam configurations and it is up to you to modify it if it doesn't suit your needs. What I mean is that the config generated by authconfig is perfectly OK when you either don't have users authenticated by kerberos in the /etc/passwd at all but they are in LDAP or NIS. Or they have a passwd entry but without a password set there (or in /etc/shadow). Or you can have a different password in /etc/shadow and in the kerberos and use the kerberos password normally and the /etc/shadow one only when the kerberos server is unavailable. Switching the order of the authentication modules would be possible but it would have other problems like very long timeouts on authentication when disconnected from network.