Control: severity -1 wishlist Control: tags -1 pending Matthew Gabeler-Lee <chee...@fastcat.org> writes: > On Wed, 23 Aug 2017, Russ Allbery wrote:
>> And let me know if there's a way that I can make this information >> easier to find in the man page. > A possible wording for the individual options that might help point > folks back at the krb5.conf explanation without being too wordy (since > it gets repeated a lot): > "This option can be set in the [appdefaults]/pam section or krb5.conf, > ..." Good idea. I've made that change for the next upstream release. > Agreed -- looking through the man page more carefully, I notice there is > some discussion about a similar issue relating to how realms are > handled, it would make sense to add a note about not using the normal > defaults to this parameter too. Also done for the next release. > Thinking it through, I have a hunch why using the default "just specific > to the UID" cache might be a bad idea if you don't have a daemon like > winbindd to help manage sessionss: > If you log in once, and then a second time, and then log out one of > those two sessions, that would empty/destroy the cache, leaving the > other session with no ticket(s). I just tested that, and indeed it is > the case. Ah, yes, that was the problem. I've now documented that explicitly. Thank you for the bug report! -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>