In order to take the path of moving this setting to a krb5.conf snippet that's included by the default krb5.conf, at the very least it needs to work with both Heimdal and MIT. I don't think Heimdal supports including krb5.conf snippets, which means we can't use the include functionality in kerberos-configs.
The upgrade path for this is going to be awful no matter what. :(
I don't think it's acceptable from a security standpoint for minimum_uid to be turned off by an upgrade without an affirmative response from the user (not any sort of default), and we can't use any sort of krb5-config dependency to ensure that a Kerberos configuration fragment is available (even if Heimdal supports it) because krb5-config intentionally doesn't mess with a user-supplied krb5.conf file. So we'd have to do something really fancy here that preserves the minimum_uid setting for all old installations unless the admin intentionally removes it, and I'm not entirely sure how to do that. All the approaches I can think of have obvious ways in which the setting is lost.
Some sort of user override on the default pam-auth-update configuration would be ideal, but I can understand that not being a priority.
I would love to find a way to fix this, but we really *cannot* have an upgrade turn off minimum_uid without user intervention. I think a package that would do that would deserve a CVE due to the security vulnerabilities that can introduce, since the local admin may be relying on that setting for local security.
In order to take the path of moving this setting to a krb5.conf snippet that's included by the default krb5.conf, at the very least it needs to work with both Heimdal and MIT. I don't think Heimdal supports including krb5.conf snippets, which means we can't use the include functionality in kerberos-configs.
The upgrade path for this is going to be awful no matter what. :(
I don't think it's acceptable from a security standpoint for minimum_uid to be turned off by an upgrade without an affirmative response from the user (not any sort of default), and we can't use any sort of krb5-config dependency to ensure that a Kerberos configuration fragment is available (even if Heimdal supports it) because krb5-config intentionally doesn't mess with a user-supplied krb5.conf file. So we'd have to do something really fancy here that preserves the minimum_uid setting for all old installations unless the admin intentionally removes it, and I'm not entirely sure how to do that. All the approaches I can think of have obvious ways in which the setting is lost.
Some sort of user override on the default pam-auth-update configuration would be ideal, but I can understand that not being a priority.
I would love to find a way to fix this, but we really *cannot* have an upgrade turn off minimum_uid without user intervention. I think a package that would do that would deserve a CVE due to the security vulnerabilities that can introduce, since the local admin may be relying on that setting for local security.