[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Daniel Richard G.
skunk at iskunk.org
Wed Apr 27 00:25:40 UTC 2016
I've been working on a Kerberos system config lately, and have once more
run into the title question.
It's been six years. Debian bugs #330882 (no real shells for system
users) and #429692 (support include directives in krb5.conf) are done
and laid to rest.
Can we move minimum_uid= out from the "krb5" PAM config and in to
krb5.conf? (Perhaps adding "ignore_root" to the former at the same time)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libpam-krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/369575
Title:
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Status in kerberos-configs package in Ubuntu:
Triaged
Status in libpam-krb5 package in Ubuntu:
Invalid
Bug description:
Binary package hint: libpam-krb5
I'm looking at libpam-krb5 version 3.13-2ubuntu1, in Jaunty.
The pam-auth-update profile file /usr/share/pam-configs/krb5 has
invocations of pam_krb5.so with the hardcoded option minimum_uid=1000.
Presumably, this is to exclude system users (uid < 1000) from Kerberos
authentication.
The problem is that some installations may have the convention of a
higher minimum UID for Kerberos users, and their options are limited
to either modifying the number in the profile file (a no-no given that
the file lives in /usr and not /etc), or bypassing the krb5 profile
altogether (either with a custom profile, or direct edits to
/etc/pam.d/*).
To make all this concrete: I have a setup where Kerberos users have
UIDs >= 20000. I specify this right in /etc/krb5.conf, under the
[appdefaults] section (see the pam_krb5 man page for details on how to
do this). Users with 1000 >= UID > 20000 are assumed to be local [but
otherwise normal] users, existing only on the local system. The
problem is that (1) my minimum_uid option in krb5.conf is being
overridden by the hardcoded options in .../pam-configs/krb5, and (2)
when I create a local user with adduser(8), and try to set/change its
password, I get prompted for "Current Kerberos password:" even though
no such entity exists in my Kerberos database!
(FYI: In Intrepid, I was using a custom pam-auth-update profile
similar to the new krb5 one, but without the minimum_uid= options. I
had considered it preferable to specify this once in krb5.conf than
multiple times in this file.)
I think that the minimum_uid= options should be removed from the krb5
profile, and the equivalent option added to krb5.conf, where the
specific UID number can be modified administratively. The current
approach is not flexible for installations making broad use of
Kerberos.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/369575/+subscriptions
More information about the foundations-bugs
mailing list