[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

Daniel Richard G. skunk at iskunk.org
Tue Apr 13 19:51:41 BST 2010


> Er, how is it silent when pam-auth-update asks you a question?

Silent, in the sense that when you run p-a-u, it doesn't indicate that
the common-* files have been modified in any way; it just presents you
with the same checkbox-list of profiles. You leave everything as-is, hit
OK, look at the file, and the option you had just added is gone.

(Not that I'm keen on the ability for p-a-u to preserve module options
---that means I have to guess what the tool does if the options change
in a profile, and it has to "merge" that change with hand-modified
options in common-*. Even worse if it asks the user what to do; how do
you even word that question without confusing most people?)

> That seems to me like the best way to do things at scale.

I don't want to forgo p-a-u. It's beneficial for single users and
admins, yes, but it's a boon to large sites as well, because it reduces
your entire PAM configuration from four arbitrary freeform "script"
files (in which any mistakes can have major consequences) to a short
vector of enabled/disabled PAM profiles. If a user wants to install
something that hooks into the PAM stack that isn't already in the image
(let's say, ConsoleKit), they don't have to hand-edit/merge anything, or
come running for support when they inevitably break PAM and lock
themselves out; they just check a new box. This is why I never
considered hand-tuning common-*, and instead went with a custom profile.
It's far better to wedge a new piece into p-a-u, than to toss p-a-u
altogether and hand-maintain everything the old-fashioned way. (I can
hardly even stand working with Debian Lenny anymore because it doesn't
have this. That's how big an improvement it's been for me.)

> We can certainly try to make it work more smoothly for you, but it
does feel like you're creating extra work for yourself in a few places.

As I see it, custom profiles and hand-editing auto-generated files are
"extra work," and I'm trying to laze my way away from that! :-)

> Debian Bug#429692. There's no progress on it so far as I know.

Just #include functionality? That seems overly modest (packages would
still have to modify an existing file, they can't just drop a file into
a directory), but still an improvement over what we have now. *push*
*goad* *cajole*

-- 
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kerberos-configs in ubuntu.



More information about the Ubuntu-server-bugs mailing list