If you're working on a Linux notebook in an Active Directory environment and frequently accessing file shares, you'll soon find yourself annoyed by typing your password all the time. At least, I did. I thought it would be cool to use Kerberos (it is designed for just that use case), but completely rewiring my laptop's auth system to auth using Kerberos wouldn't work because when I'm on the move, there won't be no Domain Controller available, so I wouldn't be able to log in. This is obviously not acceptable.
I came up with a solution that works for me pretty well: My domain user and my local user have the same username and password. I chose to keep it that way, and just instruct PAM to try to reach the DC, and if successful, acquire a Kerberos ticket using the password I just entered. In case this worked, I'd have a Kerberos ticket for my session that I could then use to access file shares or kerberized web servers.
The setup is actually pretty simple. Join the domain,
apt-get install libpam-krb5, and put the following lines at the very end of /etc/pam.d/common-auth:
# http://ubuntuforums.org/showthread.php?t=1205604 # skip the next 2 modules, UNLESS we have uid = 1000 auth [default=2 success=ignore] pam_succeed_if.so quiet uid eq 1000 # skip the next module, UNLESS we can ping the domain controller auth [default=1 success=ignore] pam_exec.so quiet /bin/ping -c1 -w1 10.5.0.1 # login using kerberos and ignore failures auth [authinfo_unavail=ignore success=ok new_authtok_reqd=ok default=ignore] pam_krb5.so use_first_pass minimum_uid=999
This code will get you a Kerberos ticket whenever you're logging in as user id 1000 (to prevent breaking the login for root) and the DC is within reach (to prevent breaking login when you're on the move).
You can easily test this setup by running (as your user):
svedrin@damien:~$ su svedrin Password: svedrin@damien:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000_sBIZIb Default principal: svedrin@LOCAL.LAN Valid starting Expires Service principal 24.09.2015 21:08:16 25.09.2015 07:08:16 krbtgt/LOCAL.LAN@LOCAL.LAN renew until 25.09.2015 21:08:16
Note that I'd always recommend using the DC's IP address in the ping command because a DNS name won't resolve when your DNS server is out of reach.