[Bug 369575] [NEW] Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

Daniel Richard G. skunk at iskunk.org
Wed Apr 29 22:37:48 UTC 2009 

Public bug reported:

Binary package hint: libpam-krb5

I'm looking at libpam-krb5 version 3.13-2ubuntu1, in Jaunty.

The pam-auth-update profile file /usr/share/pam-configs/krb5 has
invocations of pam_krb5.so with the hardcoded option minimum_uid=1000.
Presumably, this is to exclude system users (uid < 1000) from Kerberos
authentication.

The problem is that some installations may have the convention of a
higher minimum UID for Kerberos users, and their options are limited to
either modifying the number in the profile file (a no-no given that the
file lives in /usr and not /etc), or bypassing the krb5 profile
altogether (either with a custom profile, or direct edits to
/etc/pam.d/*).

To make all this concrete: I have a setup where Kerberos users have UIDs
>= 20000. I specify this right in /etc/krb5.conf, under the
[appdefaults] section (see the pam_krb5 man page for details on how to
do this). Users with 1000 >= UID > 20000 are assumed to be local [but
otherwise normal] users, existing only on the local system. The problem
is that (1) my minimum_uid option in krb5.conf is being overridden by
the hardcoded options in .../pam-configs/krb5, and (2) when I create a
local user with adduser(8), and try to set/change its password, I get
prompted for "Current Kerberos password:" even though no such entity
exists in my Kerberos database!

(FYI: In Intrepid, I was using a custom pam-auth-update profile similar
to the new krb5 one, but without the minimum_uid= options. I had
considered it preferable to specify this once in krb5.conf than multiple
times in this file.)

I think that the minimum_uid= options should be removed from the krb5
profile, and the equivalent option added to krb5.conf, where the
specific UID number can be modified administratively. The current
approach is not flexible for installations making broad use of Kerberos.

** Affects: libpam-krb5 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list