© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
> I guess I'm a bit baffled by why fixing your PAM configuration is a workaround but installing a custom krb5.conf is a desired configuration step.
krb5.conf is a config file under /etc. That's the ideal place to make configuration changes. As it is, right now, adding the minimum_uid bit involves just appending a few lines to the file---it doesn't get much simpler than that.
> It's a weird situation, since krb5-config doesn't know whether you're ever going to care about the Kerberos PAM module. You may be installing a krb5.conf for some other reason entirely.
Yeah, that's true. It's like with LDAP; my site uses LDAP for "ls -l", ~user lookups et al., but not for authentication. Still, having it in debconf may be convenient enough for sites that use pam_krb5, to be worth the "this setting only has an effect if ..." qualifier for sites that don't.
Though I haven't made much use of [appdefaults] myself (just for the PAM module), I've never seen a philosophical problem with it, since all the settings there would relate to Kerberos anyway---it just comes down to making the admin's job easier. Splitting them out elsewhere might be more pedantically correct, but...
For that matter, has there been any talk on a better way doing krb5.conf, like doing a /etc/krb5.conf.d/ or a krb5-auth-update(8) or the like? With all that's been said here about the limitations of the file and how it's structured/managed, it seems like this is a problem that's crying out for a solution.