pam-auth-update should ignore backup files in /usr/share/pam-configs/krb5

Thank you for taking the time to report this bug and help to improve Ubuntu.

While the way in which you encountered this bug is flawed (you should not edit package-owned files under /usr/share, your changes will be discarded on package upgrade), this is a bug, mainly because there is a chance that extra copies of config files will be present while dpkg is in the middle of upgrading packages. So we need to ignore .dpkg-new versions of files in this directory, and can just as well ignore ~ files too.

> you should not edit package-owned files under /usr/share

what is the recommended mechanism to adjust PAM settings? not everyone will be happy with the defaults

On Fri, Feb 27, 2009 at 08:20:58AM -0000, Michael Kofler wrote:
> > you should not edit package-owned files under /usr/share

> what is the recommended mechanism to adjust PAM settings?

For module options, edit them directly in /etc/pam.d/common-*. If the
/stack/ constructed by pam-auth-update is unsuitable for your needs, don't
enable that module profile at all and configure your stack by hand.
pam-auth-update isn't intended to be a comprehensive solution to all users'
auth configuration needs, it's just intended to cover 99% of the use cases.

> not everyone will be happy with the defaults

However, I think it will be very rare that users need to change the
minimum_uid option to pam_krb5. On Debian and Ubuntu systems, 1000 is the
documented boundary between system accounts and user accounts; and it's rare
to have user accounts split between local and network accounts when using
kerberos.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>