Comment 3 for bug 369575

minimum_uid in krb5.conf, and ignore_root in .../pam-configs/krb5 sounds like a good way to go. For sites that distribute a global krb5.conf, they can always add the minimum_uid option if they like---if it's not already there, the distribution is likely passing that in as a PAM module option anyway (whether via pam-auth-update or otherwise).

For now, I guess I'll have to go with the custom krb5-mysite profile option. (Editing /etc/pam.d/common-* is possible, and indeed honored by pam-auth-update, but then you lose the whole benefit of being able to generate the config with a checklist. From an administrative standpoint, that's a *major* price to pay.)