Comment 5 for bug 826989
Revision history for this message
| Russ Allbery (rra-debian) wrote Re: [Bug 826989] Re: Cannot change Kerberos password with passwd(1) | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
"Daniel Richard G." <email address hidden> writes:
> Okay, here is /etc/pam.
> auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000
> auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
> auth requisite pam_deny.so
> auth required pam_permit.so
> And here is /etc/pam.
> password requisite pam_krb5.so minimum_uid=1000
> password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
Yeah, I suspect it would do what you want if you made this match the
common-auth configuration.
> password requisite pam_deny.so
> password required pam_permit.so
> (Both of these were produced by pam-auth-update, from stock PAM
> profiles.)
> In the auth stack, pam_krb5 succeeding is enough to allow login. Why
> doesn't the PAM profile for libpam-krb5 likewise specify "[success=end
> default=ignore]" for the password stack? As things are, you get
> inconsistent behavior between the two stacks.
It was the way Steve implemented this originally, and I remember that he
had some rationale for it, but I don't remember what it is. :/ I'll ask
him separately. It may be that they should change.
Thanks, that gets me pointed in the right direction.
--
Russ Allbery (<email address hidden>) <http://