[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

Daniel Richard G. skunk at iskunk.org
Tue Apr 13 07:48:21 BST 2010


> I guess I'm a bit baffled by why fixing your PAM configuration is a
workaround but installing a custom krb5.conf is a desired configuration
step.

krb5.conf is a config file under /etc. That's the ideal place to make
configuration changes. As it is, right now, adding the minimum_uid bit
involves just appending a few lines to the file---it doesn't get much
simpler than that.

> It's a weird situation, since krb5-config doesn't know whether you're
ever going to care about the Kerberos PAM module. You may be installing
a krb5.conf for some other reason entirely.

Yeah, that's true. It's like with LDAP; my site uses LDAP for "ls -l",
~user lookups et al., but not for authentication. Still, having it in
debconf may be convenient enough for sites that use pam_krb5, to be
worth the "this setting only has an effect if ..." qualifier for sites
that don't.

Though I haven't made much use of [appdefaults] myself (just for the PAM
module), I've never seen a philosophical problem with it, since all the
settings there would relate to Kerberos anyway---it just comes down to
making the admin's job easier. Splitting them out elsewhere might be
more pedantically correct, but...

For that matter, has there been any talk on a better way doing
krb5.conf, like doing a /etc/krb5.conf.d/ or a krb5-auth-update(8) or
the like? With all that's been said here about the limitations of the
file and how it's structured/managed, it seems like this is a problem
that's crying out for a solution.

-- 
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kerberos-configs in ubuntu.



More information about the Ubuntu-server-bugs mailing list