Comment 20 for bug 369575

"Daniel Richard G." <email address hidden> writes:

> At the moment, my PAM-profile override *is* put into place by the same
> script that adds the minimum_uid bit to krb5.conf. But that's just a
> workaround. I don't need a workaround; I need a fix for this, so that I
> can toss the workaround :-)

I guess I'm a bit baffled by why fixing your PAM configuration is a
workaround but installing a custom krb5.conf is a desired configuration
step. That just isn't how I think about the files. But that's okay, I
don't have to understand. :)

> (Incidentally, Russ, Steve... what would you think of asking minimum_uid
> as a debconf question, when initially creating krb5.conf? Other sites
> may want to frob this setting as well.)

It's a weird situation, since krb5-config doesn't know whether you're ever
going to care about the Kerberos PAM module. You may be installing a
krb5.conf for some other reason entirely.

A strong argument could be made that the whole [appdefaults] thing in
krb5.conf is a basically bad idea (particularly since krb5.conf doesn't
support file includes) and should not be used to distribute PAM
configuration, or any other app-specific configuration. That's part of
the reason why it was initially done through the PAM configuration
directly, since after all it is configuration for the PAM module, not for
the general Kerberos installation on the system. But despite feeling that
at times, I do use [appdefaults] for a bunch of my stuff because it's
convenient to have a nice configuration syntax and configuration reading
functions built-in, and because a lot of people like to distribute
Kerberos settings site-wide through krb5.conf and there are some PAM
settings that are really site-wide. (I don't think of minimum_uid as one,
but things like renewable lifetime or forwardable tickets are more.)

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>