[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

[Russ Allbery]

Steve Langasek <steve.langasek at canonical.com> writes:

> Honestly, I don't see any good choices at the packaging level for
> permuting the pam_krb5 options used.

Yeah, that's what it was looking like to me as well.

> Why wouldn't it work to have krb5-config do a one-time adjustment of
> /etc/krb5.conf on upgrade (w/ version guard), and give libpam-krb5 a
> versioned dependency on the version of krb5-config that implements this?

Hm, yes, I suppose I could try that.  I don't see an obvious problem with
it, at least.  I'll run that past Sam and see what he thinks about it.

I'm a little concerned by the implications for sites that maintain a
site-wide krb5.conf file that they distribute to all of their systems and
don't have this setting in it because it doesn't apply uniformly to all of
their systems.  In that situation, they really need to use PAM
configuration instead, and this transition could easily leave them without
a minimum_uid setting.  But I suppose that's what NEWS.Debian is for.

> As for your original problem, Daniel, - you already have to set the
> non-default minimum_uid in krb5.conf; why couldn't you automatically
> apply the same setting to /etc/pam.d/common-* by the same mechanism?
> There may be room for improvement in the package defaults, but ISTM that
> this shouldn't stand in the way of you solving your immediate problem -
> especially given that you're decidedly not using the package defaults
> anyway.

Right -- if you're already distributing a krb5.conf with this setting,
surely the same mechanism could be used to override the PAM configuration
as well.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

-- 
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kerberos-configs in ubuntu.