Comment 36 for bug 369575

In order to take the path of moving this setting to a krb5.conf snippet that's included by the default krb5.conf, at the very least it needs to work with both Heimdal and MIT. I don't think Heimdal supports including krb5.conf snippets, which means we can't use the include functionality in kerberos-configs.

The upgrade path for this is going to be awful no matter what. :(

I don't think it's acceptable from a security standpoint for minimum_uid to be turned off by an upgrade without an affirmative response from the user (not any sort of default), and we can't use any sort of krb5-config dependency to ensure that a Kerberos configuration fragment is available (even if Heimdal supports it) because krb5-config intentionally doesn't mess with a user-supplied krb5.conf file. So we'd have to do something really fancy here that preserves the minimum_uid setting for all old installations unless the admin intentionally removes it, and I'm not entirely sure how to do that. All the approaches I can think of have obvious ways in which the setting is lost.

Some sort of user override on the default pam-auth-update configuration would be ideal, but I can understand that not being a priority.

I would love to find a way to fix this, but we really *cannot* have an upgrade turn off minimum_uid without user intervention. I think a package that would do that would deserve a CVE due to the security vulnerabilities that can introduce, since the local admin may be relying on that setting for local security.