On Jun 8,  9:22am, Roland Dowdeswell wrote:
} On 1105903348 seconds since the Beginning of the UNIX epoch
} Jason Thorpe wrote:
} 
} One could define local passwds first in PAM, but this only works
} properly if you make sure that your local passwds are different
} than your Kerberos passwds (which, of course you should do anyway.)

     This is an admistrator decision.  There are arguments for doing it
both ways.  But, only the administrator of a given system can decide
what is best for that system.

} There is a problem with that approach with su(1), though, which is
} that it isn't clear [to me, last time I looked] how to make sure
} that the kerberos pam module's prompt is used even though the unix
} module will get the first crack at the passwd.

     There is no problem here.  If a module doesn't like the password
that an earlier module collected, then it can simply initiate a request
for a password itself.  In PAM, there is no rule saying that a user
must only give one password.  A user can be queried for passwords as
many times as the configured modules desire.

}-- End of excerpt from Roland Dowdeswell