[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

[Steve Langasek]

Hi Daniel,

> Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

Because this is the correct default minimum_uid value to use on Ubuntu
systems, where 1000 marks the boundary between system and user accounts,
and this default has not been otherwise specified.

> The problem is that some installations may have the convention of a higher minimum UID for Kerberos 
> users, and their options are limited to either modifying the number in the profile file (a no-no given that 
> the file lives in /usr and not /etc), or bypassing the krb5 profile altogether (either with a custom profile, 
> or direct edits to /etc/pam.d/*).

Well, no, you have two other options:

- edit /etc/pam.d/common-* directly to remove / modify the minimum_uid option according to your sites needs (these are config files, and pam-auth-update is meant to honor any changes you make to the module options - if it fails to do so, that's a bug), or
- provide your own 'krb5-mysite' profile in /usr/share/pam-configs/ and use that in place of the default one.

But it would also be reasonable to set this default via appdefaults in
/etc/krb5.conf, which I didn't know was possible - if that were done in
the default krb5.conf, then we could drop the module option from
/usr/share/pam/configs/krb5.  So I'll mark this bug as invalid for pam-
krb5, and open a task on kerberos-configs.

** Changed in: libpam-krb5 (Ubuntu)
       Status: New => Invalid

** Also affects: kerberos-configs (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: kerberos-configs (Ubuntu)
   Importance: Undecided => Low

** Changed in: kerberos-configs (Ubuntu)
       Status: New => Triaged

-- 
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kerberos-configs in ubuntu.