[Bug 962560] Re: pam-auth-update Account-Type should be "Additional"

Russ Allbery rra at debian.org
Mon Mar 26 16:41:25 UTC 2012

This analysis looks right to me, and I think may run deeper than just
this one module.  If every account module should be additional and not
primary, I think that points to an error in the data model or
interpretation of the data model, rather than in individual PAM
configurations.  And viewing the account stack as a guantlet of denials
where one should therefore not skip modules makes sense to me.

Modules doing account checks for which the auth check never ran and
which therefore cannot do anything meaningful (not the case for
pam_ldap, where the auth and account checks are unrelated, but the case
for things like pam-krb5) should return PAM_IGNORE on account if they're
not meaningful.  And indeed pam-krb5 already does.

Adding libpam-runtime to get the opinion of the pam-auth-update author.

** Also affects: pam (Ubuntu)
   Importance: Undecided
       Status: New

You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libpam-ldap in Ubuntu.

  pam-auth-update Account-Type should be "Additional"

To manage notifications about this bug go to:

More information about the Ubuntu-server-bugs mailing list