[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

[Russ Allbery]

"Daniel Richard G." <skunk at iskunk.org> writes:

> I know this isn't a big deal in the larger scheme of things, but it's
> the difference between being able to use the stock krb5 profile, and
> having to maintain a custom one. (And remember, the current behavior
> involves headaches if you have any non-root local users.)

The current behavior does the correct thing if the UID allocation strategy
follows Debian policy, including for local users.  That's what I mean by
not being convinced that the current behavior is wrong.

I realize there are sites that have UID allocation strategies that don't
follow the Debian guarantees about UID ranges and therefore need to use
lower UIDs due to historic allocations, although I'm surprised that those
sites would also be interested in using a stock PAM configuration (or, for
that matter, a stock krb5.conf).

You really don't want pam-krb5 to be willing to authenticate system users
just because you have a principal in your local realm named "daemon", and
krb5-config never touches an existing krb5.conf file when upgraded, which
makes me nervous about removing this setting from the default PAM
configuration.  This is particularly true in Debian where those accounts
have valid shells by default.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

-- 
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kerberos-configs in ubuntu.