[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

Russ Allbery rra at debian.org
Thu Apr 30 03:09:17 BST 2009

Steve Langasek <steve.langasek at canonical.com> writes:

> But it would also be reasonable to set this default via appdefaults in
> /etc/krb5.conf, which I didn't know was possible - if that were done
> in the default krb5.conf, then we could drop the module option from
> /usr/share/pam/configs/krb5.  So I'll mark this bug as invalid for
> pam-krb5, and open a task on kerberos-configs.

In practice, krb5.conf files usually aren't a useful place to set
distribution options.  A lot of sites that use Kerberos (such as
Stanford) distribute a global krb5.conf file for the whole site and
encourage all users to just install it.  One has to assume that in most
cases krb5.conf is going to get overridden by the user.  (This is one of
the reasons why it's not a conffile in kerberos-configs and instead is
only created once and then very selectively modified, so note that no
changes will be picked up by existing systems, only by new

I'm not sure there's any reason *not* to set the option in krb5.conf,
other than maybe a minor slippery slope argument that setting
application options in the distribution default krb5.conf isn't going to
scale well since we don't have an include mechanism for fragments.  But
it may or may not really fix the problem of preventing Kerberos getting
in the way of local logins as thoroughly as using a PAM option.

The reason why that option is recommended is because if there's
something wrong with the network that causes pam-krb5 to hang for long
periods, login can time out and leave you in a situation where you can't
log in as root.  Maybe it would make sense to leave minimum_uid for
/etc/krb5.conf but set ignore_root in the profile to eliminate the worst
of the problem of not having minimum_uid set.

Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kerberos-configs in ubuntu.

More information about the Ubuntu-server-bugs mailing list