Okay.

I have Active Directory's users logging into Linux clients thanks to pam_winbind.
I have Samba Shares mounted at login and unmounted at logoff thanks to pam_mount.
I have Cups printing to a Windows Print Queue WITH user authentication thanks to a patched smbspool and Kerberos ticket.

What I need now is to retrieve kerberos tickets at login time WITHOUT prompting for a password. I know pam_krb5 does that, but I can't manage to fit it into /etc/pam.d/system-auth along with pam_winbind and pam_mount.

Thatś my system-auth file:

#%PAM-1.0

auth required pam_mount.so
auth sufficient pam_winbind.so
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so

account sufficient pam_winbind.so
account required pam_unix.so

password required pam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_mount.so


Anyone may help me out?

Tks

I thought that the sufficient tests had to appear before the required in PAM because rules are evaluated in the order they appear. I maybe wrong but logically if you "require" something then it doesn't make sense to have an optional test (sufficient) afterwards.

Actually the current file as it is works perfectly.
The problem is fitting pam_krb5.so into it so that a kerberos ticket is retrieved when user logs in.