Comment 7 for bug 369575
Revision history for this message
| Russ Allbery (rra-debian) wrote Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
"Daniel Richard G." <email address hidden> writes:
> I know this isn't a big deal in the larger scheme of things, but it's
> the difference between being able to use the stock krb5 profile, and
> having to maintain a custom one. (And remember, the current behavior
> involves headaches if you have any non-root local users.)
The current behavior does the correct thing if the UID allocation strategy
follows Debian policy, including for local users. That's what I mean by
not being convinced that the current behavior is wrong.
I realize there are sites that have UID allocation strategies that don't
follow the Debian guarantees about UID ranges and therefore need to use
lower UIDs due to historic allocations, although I'm surprised that those
sites would also be interested in using a stock PAM configuration (or, for
that matter, a stock krb5.conf).
You really don't want pam-krb5 to be willing to authenticate system users
just because you have a principal in your local realm named "daemon", and
krb5-config never touches an existing krb5.conf file when upgraded, which
makes me nervous about removing this setting from the default PAM
configuration. This is particularly true in Debian where those accounts
have valid shells by default.
--
Russ Allbery (<email address hidden>) <http://