[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

[Russ Allbery]

John Moser <john.r.moser at gmail.com> writes:

> Honestly the right option is probably to patch pam_krb5 to allow
> overriding in krb5.conf (possibly by an option, possibly by default).

PAM options intentionally override krb5.conf settings because you need to
be able to override some options for specific programs.  Reversing that
will break way, way more than this.

krb5.conf snippets, and then moving this setting into a snippet on new
installations, is the right long-term solution to this problem, I think.
Heimdal now supports including a directory of conf files.  The remaining
work is in krb5-config, and I think there's some discussion in the Debian
bug.

Separately, I do think that the pam-update-config configuration files
really should be conffiles in their own right.  I'm not sure why they were
made system files installed in /usr/share originally.  They seem very
config-y to me, and that would be another relatively clean solution.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libpam-krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/369575

Title:
  Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

Status in kerberos-configs package in Ubuntu:
  Triaged
Status in libpam-krb5 package in Ubuntu:
  Invalid

Bug description:
  Binary package hint: libpam-krb5

  I'm looking at libpam-krb5 version 3.13-2ubuntu1, in Jaunty.

  The pam-auth-update profile file /usr/share/pam-configs/krb5 has
  invocations of pam_krb5.so with the hardcoded option minimum_uid=1000.
  Presumably, this is to exclude system users (uid < 1000) from Kerberos
  authentication.

  The problem is that some installations may have the convention of a
  higher minimum UID for Kerberos users, and their options are limited
  to either modifying the number in the profile file (a no-no given that
  the file lives in /usr and not /etc), or bypassing the krb5 profile
  altogether (either with a custom profile, or direct edits to
  /etc/pam.d/*).

  To make all this concrete: I have a setup where Kerberos users have
  UIDs >= 20000. I specify this right in /etc/krb5.conf, under the
  [appdefaults] section (see the pam_krb5 man page for details on how to
  do this). Users with 1000 >= UID > 20000 are assumed to be local [but
  otherwise normal] users, existing only on the local system. The
  problem is that (1) my minimum_uid option in krb5.conf is being
  overridden by the hardcoded options in .../pam-configs/krb5, and (2)
  when I create a local user with adduser(8), and try to set/change its
  password, I get prompted for "Current Kerberos password:" even though
  no such entity exists in my Kerberos database!

  (FYI: In Intrepid, I was using a custom pam-auth-update profile
  similar to the new krb5 one, but without the minimum_uid= options. I
  had considered it preferable to specify this once in krb5.conf than
  multiple times in this file.)

  I think that the minimum_uid= options should be removed from the krb5
  profile, and the equivalent option added to krb5.conf, where the
  specific UID number can be modified administratively. The current
  approach is not flexible for installations making broad use of
  Kerberos.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/369575/+subscriptions