I want to use kerberos for authentication and ldap for authorization. I'm using OpenLDAP and not SUN LDAP so this already creates a bit of chafe, but I'm not going to install SUN LDAP
or install a 3rd party PAM module - I want everything to be default so the next person to inherit this mess doesn't go mad.
Now I don't want to use pam_ldap for account authorization since this implies 1) I'm using SUN LDAP and 2) I'm storing account information like PASSWD in LDAP. We don't.
I *do* want to use vanilla pam_unix_account and rely on nsswitch.conf to state my name service preferences.
Now one would assume, given my requirements, that a reasonable SSH PAM stack would look like this:
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account sufficient pam_unix_account.so.1
Then why doesn't it work???? Why, in debug mode, does it always complain that account so and so is not found?
After some investigation it turns out that if using OpenLDAP for authorization one needs to add "objectClass=shadowAccount", and that's it, as an attribute to every single uid=xxx,ou=People,dc=place,dc=org. At least for those users that want to be authorized for login.
What a pain. And how much precious time did I waste on this? 2, maybe 3 hours? Unbelievable.