Comment 9 for bug 275169
Revision history for this message
| Russ Allbery (rra-debian) wrote Re: [Bug 275169] Re: no kerberos support for pam-auth-update? | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Steve Langasek <email address hidden> writes:
> For comparison, here's the /usr/share/
> locally for testing:
> Account-Type: Primary
> Account:
> [success=end new_authtok_
What does end do? It's not documented in the PAM manual. Is that
equivalent to done?
I believe "done" would bypass all local account expiration checks, meaning
that if an account were locally locked, they would still be able to log on
via Kerberos, which is something the recommended configuration is careful
not to do.
> Bryan, does this config look like it's compatible with your setup?
> Could you test that it works in your environment, in which case I'll
> upload it to jaunty?
Is this something that should also be included in the Debian package?
> BTW, I've never needed to use the pam_krb5 session module. As far as
> I'm aware, that only exists as a workaround for services that don't call
> pam_setcred() as expected. Do you know of specific cases where this is
> needed in your environment?
Is there any reason *not* to run it? As upstream maintainer, I would
certainly recommend adding pam_krb5 to the session configuration. Under
most circumstances, it's a no-op, but the module recognizes when it is,
and there are applications that don't call setcred.
--
Russ Allbery (<email address hidden>) <http://