From Developer Community
Kerberos Authentication
The current documentation creates a rather fruity security policy, passwords appear only to be checked on ssh connections, GDM logins completely skip password checking. With Ubuntu 8.04 comes updated documentation and a new nss-ldapd to cope with boot hangs.
Configure common-auth with the following, note that minimum_uid should not be used here.
auth sufficient pam_krb5.so ccache=/tmp/krb5cc_%u
auth sufficient pam_unix.so likeauth nullok_secure use_first_pass
auth required pam_deny.so
Leaving common-account with minmum_uid checks.
account required pam_unix.so
account required pam_krb5.so minimum_uid=1000
And common-session with more checks and optional home directory creation. Note that if the home directories are NFS mounts and unavailable this can end up creating new local empty accounts which easily confuse end users.
session required pam_unix.so
session optional pam_foreground.so
session optional pam_krb5.so minimum_uid=1000
--Steve-o 2008-05-05
