Comment 1 for bug 369575

Hi Daniel,

> Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

Because this is the correct default minimum_uid value to use on Ubuntu systems, where 1000 marks the boundary between system and user accounts, and this default has not been otherwise specified.

> The problem is that some installations may have the convention of a higher minimum UID for Kerberos
> users, and their options are limited to either modifying the number in the profile file (a no-no given that
> the file lives in /usr and not /etc), or bypassing the krb5 profile altogether (either with a custom profile,
> or direct edits to /etc/pam.d/*).

Well, no, you have two other options:

- edit /etc/pam.d/common-* directly to remove / modify the minimum_uid option according to your sites needs (these are config files, and pam-auth-update is meant to honor any changes you make to the module options - if it fails to do so, that's a bug), or
- provide your own 'krb5-mysite' profile in /usr/share/pam-configs/ and use that in place of the default one.

But it would also be reasonable to set this default via appdefaults in /etc/krb5.conf, which I didn't know was possible - if that were done in the default krb5.conf, then we could drop the module option from /usr/share/pam/configs/krb5. So I'll mark this bug as invalid for pam-krb5, and open a task on kerberos-configs.