Good Day,

We primarily run with RHEL 5/6/7 Servers, but, for SAP we will be testing on SLES. We use Kerberos for authentication purposes ie. Add user locally but passwords are checked against AD. I installed the SLES 12 Server with defaults and did the following after :

zypper install krb5-client pam_krb5

Copied the /etc/krb5.conf file from one of the RHEL Servers across to the SLES 12 Server

pam-config --add --krb5 --add --mkhomedir

Now I can login with the local Admin User Accounts I added with password checks being done against AD ... however, even though root has a local password, it is being authenticated against AD and then obviously fails.

Some config files :

/etc/nsswitch.conf

passwd: compat
group: compat


/etc/pam.d/common-account

account requisite pam_unix.so try_first_pass
account required pam_krb5.so use_first_pass
account required pam_localuser.so


/etc/pam.d/common-auth

auth required pam_env.so
auth optional pam_gnome_keyring.so
auth sufficient pam_unix.so try_first_pass
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so


/etc/pam.d/common-password

password requisite pam_cracklib.so
password optional pam_gnome_keyring.so use_authtok
password [default=ignore success=1] pam_succeed_if.so uid > 999 quiet
password sufficient pam_unix.so use_authtok nullok shadow try_first_pass
password sufficient pam_krb5.so
password required pam_deny.so


/etc/pam.d/common-session

session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_krb5.so
session optional pam_umask.so
session optional pam_systemd.so
session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm
session optional pam_env.so


Other thing that crops up is the following :

chage -l user
chage: PAM: User not known to the underlying authentication module


Can anyone assist ... maybe something trivial that I am missing ?

Regards