[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

Thu Dec 21 18:01:29 UTC 2017

ignore_root won't work.

The first user—the local admin—is UID 1000.  If you ever try to passwd
that user, it asks for the user's Kerberos password.  If you try to
`passwd -r files`, it ... asks for the user's Kerberos password, because
the -r option doesn't work.

The root user generally is locked without a password.

Honestly the right option is probably to patch pam_krb5 to allow
overriding in krb5.conf (possibly by an option, possibly by default).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libpam-krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/369575

Title:
  Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

Status in kerberos-configs package in Ubuntu:
  Triaged
Status in libpam-krb5 package in Ubuntu:
  Invalid

Bug description:
  Binary package hint: libpam-krb5

  I'm looking at libpam-krb5 version 3.13-2ubuntu1, in Jaunty.

  The pam-auth-update profile file /usr/share/pam-configs/krb5 has
  invocations of pam_krb5.so with the hardcoded option minimum_uid=1000.
  Presumably, this is to exclude system users (uid < 1000) from Kerberos
  authentication.

  The problem is that some installations may have the convention of a
  higher minimum UID for Kerberos users, and their options are limited
  to either modifying the number in the profile file (a no-no given that
  the file lives in /usr and not /etc), or bypassing the krb5 profile
  altogether (either with a custom profile, or direct edits to
  /etc/pam.d/*).

  To make all this concrete: I have a setup where Kerberos users have
  UIDs >= 20000. I specify this right in /etc/krb5.conf, under the
  [appdefaults] section (see the pam_krb5 man page for details on how to
  do this). Users with 1000 >= UID > 20000 are assumed to be local [but
  otherwise normal] users, existing only on the local system. The
  problem is that (1) my minimum_uid option in krb5.conf is being
  overridden by the hardcoded options in .../pam-configs/krb5, and (2)
  when I create a local user with adduser(8), and try to set/change its
  password, I get prompted for "Current Kerberos password:" even though
  no such entity exists in my Kerberos database!

  (FYI: In Intrepid, I was using a custom pam-auth-update profile
  similar to the new krb5 one, but without the minimum_uid= options. I
  had considered it preferable to specify this once in krb5.conf than
  multiple times in this file.)

  I think that the minimum_uid= options should be removed from the krb5
  profile, and the equivalent option added to krb5.conf, where the
  specific UID number can be modified administratively. The current
  approach is not flexible for installations making broad use of
  Kerberos.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/369575/+subscriptions